Need Help Understanding Cisco IP NAT Example

Hello Experts,

I am having a difficult time understanding what this Cisco example is saying. I read this article here ( and in the example it says:

!--- The access list is used to specify which traffic
!--- is to be translated for the outside Internet.

access-list 111 deny ip
access-list 111 permit ip any any

Does this mean that any packets that matches access-list 111 that denies (source of main office) to (VPN user) or something? Can someone translate this in a easier way?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

the / 24 network is the "inside" network
the network is the pool of ip addresses that is assigned to remote users vpn'ing in

so the ACL is saying:
Don't NAT between the VPN clients and the internal network
NAT everything else (ie - NAT all inside traffic destined for the internet)

katredrumAuthor Commented:
Wonderful translation, I can understand that, but I always thought ACLs are:

deny ip (source) (wildcard) (destination) (wildcard)

In your translation, don't NAT between (destination) then (source), can you please clarify?
katredrumAuthor Commented:
So if it was a permit as:

access-list 111 permit ip ip

then translation would be?:
NAT between the VPN clients and internal network (which it wouldn't work but just for translation)
Deny everything else (implicit deny)
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

In this case, you are not using the ACL to permit or deny traffic to pass on the interface, you are defining what traffic to apply to the NAT operation.

In cisco-speak, you are defining "interesting traffic" for NAT
Since ACLs are evaluated sequentially, you put the deny first.

so you are saying:
DON't NAT between and
DO NAT everything else


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
katredrumAuthor Commented:
Sorry one more question. So would it be the same if we flipped the statement as:

access-list 111 deny ip be the same as
access-list 111 deny ip
katredrumAuthor Commented:
I guess there is no explanation for my last question? Thanks anyway.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.