katredrum
asked on
Need Help Understanding Cisco IP NAT Example
Hello Experts,
I am having a difficult time understanding what this Cisco example is saying. I read this article here (http://www.ciscosystems.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml) and in the example it says:
!--- The access list is used to specify which traffic
!--- is to be translated for the outside Internet.
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any
Does this mean that any packets that matches access-list 111 that denies 10.10.10.0 (source of main office) to 192.168.1.0 (VPN user) or something? Can someone translate this in a easier way?
I am having a difficult time understanding what this Cisco example is saying. I read this article here (http://www.ciscosystems.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml) and in the example it says:
!--- The access list is used to specify which traffic
!--- is to be translated for the outside Internet.
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any
Does this mean that any packets that matches access-list 111 that denies 10.10.10.0 (source of main office) to 192.168.1.0 (VPN user) or something? Can someone translate this in a easier way?
ASKER
Wonderful translation, I can understand that, but I always thought ACLs are:
deny ip (source) (wildcard) (destination) (wildcard)
In your translation, don't NAT between (destination) then (source), can you please clarify?
deny ip (source) (wildcard) (destination) (wildcard)
In your translation, don't NAT between (destination) then (source), can you please clarify?
ASKER
So if it was a permit as:
access-list 111 permit ip ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
then translation would be?:
NAT between the VPN clients and internal network (which it wouldn't work but just for translation)
Deny everything else (implicit deny)
access-list 111 permit ip ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
then translation would be?:
NAT between the VPN clients and internal network (which it wouldn't work but just for translation)
Deny everything else (implicit deny)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry one more question. So would it be the same if we flipped the statement as:
access-list 111 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255 be the same as
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255?
access-list 111 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255 be the same as
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255?
ASKER
I guess there is no explanation for my last question? Thanks anyway.
the 192.168.1.0/24 network is the pool of ip addresses that is assigned to remote users vpn'ing in
so the ACL is saying:
Don't NAT between the VPN clients and the internal network
NAT everything else (ie - NAT all inside traffic destined for the internet)