MikeyMays
asked on
NAT and ACL
I’m new to the Cisco ASA stuff I just wanted some clarification on this matter.
If you can define a NAT. What is the point in an ACL?
1. Is it for you to allow more control over NAT? Let’s say you wanted to block HTTPS on a certain web server would the ACL be the place to do it?
2. Instead of opening the whole range of protocols in NAT does an ACL give you the option to define what protocols should be open for that IP?
3. Does it allow you to define what source IP is allowed to access what protocol and ports?
So basically is an ACL for more “tweaking” what protocols and ports are open on a defined NAT?
I’m also under the assumption you can use an ACL for an interface to define a group of IP’s or networks.
Am I close or am I way off on my thinking? Thanks in advance
If you can define a NAT. What is the point in an ACL?
1. Is it for you to allow more control over NAT? Let’s say you wanted to block HTTPS on a certain web server would the ACL be the place to do it?
2. Instead of opening the whole range of protocols in NAT does an ACL give you the option to define what protocols should be open for that IP?
3. Does it allow you to define what source IP is allowed to access what protocol and ports?
So basically is an ACL for more “tweaking” what protocols and ports are open on a defined NAT?
I’m also under the assumption you can use an ACL for an interface to define a group of IP’s or networks.
Am I close or am I way off on my thinking? Thanks in advance
Basically an ACL is to filter packets per protocols, ports and addresses. It's assigned per interface (in/out). You can define groups of protocols, ports and addresses
NAT is to translate addresses and ports, not to filter. You can use ACL in NAT to filter what is being translated.
If you wnat to know what is done first on the router (filtering or translation->order of operation) see here http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
NAT is to translate addresses and ports, not to filter. You can use ACL in NAT to filter what is being translated.
If you wnat to know what is done first on the router (filtering or translation->order of operation) see here http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
ASKER
OK so that's why NAT gives you the option of PAT in case you had a web server running on let's say 8080 you can accept connection on port 80 from the outside but once inside the firewall its translated to 8080 and according to the cisco link you provided me outside-inside the ACL would before NAT so let's say you had a group of outside computers with a static IP's you could allow only those computers to access the webs server instead of letting everyone. Thanks starting to make sense. So without an ACL does this mean you just let all protocols go through if you had only a NAT setup without a service?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I wasnt too sure but its more clear now. Thanks
http://www.petenetlive.com/KB/Article/0000054.htm
2. yes, with ACL to outside interface
http://www.petenetlive.com/KB/Article/0000077.htm
3. yes, with ACL to outside interface
http://www.petenetlive.com/KB/Article/0000077.htm