Cisco NAT and Access List

So I have a cisco 2921 router with a security license. We have a static IP for our WAN and and a CIDR block of 16 IP's for some of our servers. I have 2 route-maps set up that have and access-list assigned to them but don't quite understand how this all works. I understand the ACL's for the external WAN coming in to particular servers but not the internal traffic shaping. We have cisco switches with and a total of 5 vlans set up.

The router is on a
I really don't understand the 100,101,105 access list and what are they doing. I read cisco's documentation but look for a bit more analysis. attached is a snippet of my router config.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Axis52401Security AnalystCommented:
ACL100 is limiting inbound telnet/ssh access and sdm access to the 10.110.110.x subnet only.

ACL101 probably started as an ACL to deny nat between the 10.110.110.x subnet and the 10.110.111.x subnet but then expanded into an allow list which is used elsewhere on the router. In the ASA world its called a nat exemption but in the router world you have to create deny statements for hosts that shouldn't have their ip address nat'ed.

ACL105 seems to be the most restrictive acl.
 - subnet 10.110.110.x cannot talk to 10.110.111.x but it can talk to anyone else.
 - subnet 110 and 112 can talk to whomever

What they are supposed to accomplish all depends on their placement. But it seems like the idea was to use these ACL for the different vlans and restrict what vlans can talk to hte others. Hope that helps.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Scott_Smith24Author Commented:
So ACL 101 is applied to a route-map nonatme which is set to the external port interface and marked overload. What does that mean?
Axis52401Security AnalystCommented:
Scott Smith24,

ip nat inside source route-map nonatme interface GigabitEthernet0/0 overload

This nat rule is using NAT Overload which is another name for PAT, Port Address Translation. PAT differs from NAT in that PAT uses ports to keep track of the internal to external translation. PAT allows the internal hosts to share a single external IP address. Each host is assigned a unique port number, this is what actually allows them all to share the same external IP address.

So the above nat rule is saying use PAT and do not nat these hosts. Meaning their internal IP address will remain the same when it leaves the gigabitehternet0/0 interface. So anyhost matching the route-map nonatem will all share the same external Ip address that is assigned to gig0/0. PAT will assign a unique port number to each host so it can keep track of what host is using what resource. I hope that helps.
Scott_Smith24Author Commented:
Thanks alot for the explination
emma yemisiCommented:
ip nat inside source route-map nonatme interface GigabitEthernet0/0 overload
     The nat statement above allowed that interface gig0/0 to translate every possible traffic of your LAN OUT/IN
     meaning all your LAN devices using private IP addresses are translated to the IP add of this interface to communicate    
     with outside world.

1. access-list 100 remark VTY Access-class list
2. access-list 100 remark SDM_ACL Category=1
3. access-list 100 permit ip any
4. access-list 100 deny   ip any any
The above is as follows:

line 1: says this access-list is for VTY access.
           VTY is a virtual terminal line. assign to IP address for remote access to a particular devices.
line 2: simply says this access is coming from SDM device a GUI remote access

line 3: says allow any ip address from this ip network to to reach any other ip/network withing
            your LAN ( -
line 4: says deny any other ip address class other than the one specified in line 3 above from getting to this LAN.

As per 101 lists, there are 2 things setup here. NAT and filtering of traffic from host to network and host to host.
the bellow are the NAT translations;
''access-list 101 deny   ip host any
 access-list 101 deny   ip host any
access-list 101 deny   ip host any
access-list 101 deny   ip host any
access-list 101 deny   ip host any
access-list 101 deny   ip host any
access-list 101 deny   ip host any
access-list 101 deny   ip host any
access-list 101 permit ip any
access-list 101 permit ip any
access-list 101 permit ip any
access-list 101 permit ip any
access-list 101 permit ip any
access-list 105 permit ip any
access-list 105 permit ip any''

access-list 101 deny   ip
the cli above deny network 110 from accessing network 111 ( -

access-list 105 deny   ip
this statement is as the one above in 101.

access-list 150 permit ip
this one too deny network 111/24 from accessing network 109/24

access-list 150 permit ip
deny network 110 from network 109

access-list 150 permit ip
deny network 102  from accessing network 109
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.