Skip navigation
Cisco Learning Home > Certifications > Routing & Switching (CCNA) > Discussions

_Communities

10093 Views 3 Replies Latest reply: Jul 1, 2013 6:18 AM by BRAD RSS

Currently Being Moderated

ip nat inside source list

Jun 3, 2011 4:58 AM

Alexandr 2 posts since
Apr 5, 2011

Hello, guys.

I got into a situation that I can't figure out myself.

 

Let's assume we have a router with two interfaces with 10.10.10.0/24 network behind fa0/0:

fa0/0 - ip nat inside

fa0/1 - ip nat outside

 

We want to do a simple overloaded NAT:

ip nat inside source list NAT_ACL interface FastEthernet0/1 overload

 

Let's say I want to give a host 10.10.10.7 permission to ping the outside world and nothing more (ICMP only).

My first idea was to write a permit rule in the NAT_ACL:

permit icmp host 10.10.10.7 any

 

But it doesn't work and I don't udenrstand why. Can someone give me a clue on this?

 

permit ip host 10.10.10.7 any

works perfectly fine for both tcp/udp and icmp connections.

  • Sey 1,388 posts since
    May 4, 2010
    Currently Being Moderated
    1. Jun 3, 2011 5:37 AM (in response to Alexandr)
    Re: ip nat inside source list

    The NAT_ACL is a so called qualifying access list. It just tells the router what hosts are eligible for natting. You can't use it for filtering. Create another ACL for filtering and apply it to fa0/0 with (config-if)#access-group command.

  • BRAD 35 posts since
    Jul 27, 2012
    Currently Being Moderated
    3. Jul 1, 2013 6:18 AM (in response to Alexandr)
    Re: ip nat inside source list

    The optional keyword overload enables port translation for UDP and TCP.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)