Need Help Understanding Cisco IP NAT Example

Hello Experts,

I am having a difficult time understanding what this Cisco example is saying. I read this article here ( and in the example it says:

!--- The access list is used to specify which traffic
!--- is to be translated for the outside Internet.

access-list 111 deny ip
access-list 111 permit ip any any

Does this mean that any packets that matches access-list 111 that denies (source of main office) to (VPN user) or something? Can someone translate this in a easier way?
Who is Participating?
In this case, you are not using the ACL to permit or deny traffic to pass on the interface, you are defining what traffic to apply to the NAT operation.

In cisco-speak, you are defining "interesting traffic" for NAT
Since ACLs are evaluated sequentially, you put the deny first.

so you are saying:
DON't NAT between and
DO NAT everything else

the / 24 network is the "inside" network
the network is the pool of ip addresses that is assigned to remote users vpn'ing in

so the ACL is saying:
Don't NAT between the VPN clients and the internal network
NAT everything else (ie - NAT all inside traffic destined for the internet)

katredrumAuthor Commented:
Wonderful translation, I can understand that, but I always thought ACLs are:

deny ip (source) (wildcard) (destination) (wildcard)

In your translation, don't NAT between (destination) then (source), can you please clarify?
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

katredrumAuthor Commented:
So if it was a permit as:

access-list 111 permit ip ip

then translation would be?:
NAT between the VPN clients and internal network (which it wouldn't work but just for translation)
Deny everything else (implicit deny)
katredrumAuthor Commented:
Sorry one more question. So would it be the same if we flipped the statement as:

access-list 111 deny ip be the same as
access-list 111 deny ip
katredrumAuthor Commented:
I guess there is no explanation for my last question? Thanks anyway.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.