NAT and ACL Notes

Here are some NAT and ACL notes I’ve been taking from my studies. Want to use them for yours? Go ahead. These are just random notes however, not much context to go off of.


ACLs have an implicit deny at the end of each ACL.
Rules of ACLs: 1 ACL Per Interface Per Direction

Named ACL: router(config)#ip access-list <(extended)(standard)> <(1-99)(100-199)(WORD)>
Modify Numbers (lines) in ACLs:
router(config-ext-nacl)# <1-2147483647> [statement]
At the end for your ACL, to negate the implicit deny:
Standard: access-list (1-99) permit any
Extended: access-list (100-199) permit ip any any
Standard (1-99) - permit or deny based on source. Apply standard ACLs as far from the source/as close to the destination as possible.
access-list (1-00) <(permit)(deny)(remark)> <Source(any)(host)(A.B.C.D)> <(cr)(wildcard)(log)>
Apply IN or OUT at router(config-if)#ip access-group (1-99) <(in)(out)>
Prevent telnet or ssh:
router(config-line)#access-class <(1-99)> <(in)(out[not reccomended btw])>
Extended (100 - 199) - more powerful, based on port, protocol, source to destination. For efficiency, (not required) place as close to the source as possible/as far from the destination as possible. (Place INBOUND on the host's default gateway, this prevents the packet from even being routed in the first place)
access-list (100-199)
Based on protocol:
access-list (100-199)
<eq(port#/name)SOURCE PORT - usually ANY since the host rolls a source itself>
<eq(port#/name)DESTINATION PORT>
access-list 100 deny tcp any eq 23 - deny /24 telnet
access-list 100 deny tcp any eq 80 - deny /24 http
access-list 100 deny udp host any eq 69 - deny host tftp
access-list 100 deny tcp any any eq 3724 - deny any host from World of Warcraft
access-list 100 deny udp any any eq 3724 - deny any host from World of Warcraft

Apply IN or OUT at router(config-if)#ip access-group (100-199) <(in)(out)>
router(config)#ip access-list extended WAN_FILTER
router(config-ext-nacl)# permit tcp any any established
router(config)#int WAN INTERFACE
router(config-if)#ip access-group WAN_FILTER in
(EXAMPLE ISP IP address:
Dynamic NAT - Internal IP to WAN UP - One to One Translation
as well as WAN to Internal
Least common use form of NAT

router(config-if)#ip nat inside - identifies your INTERNAL facing interface (into your network)
router(config-if)#ip nat outside - identifies your EXTERNAL facing interface (outside your network boundary to isp)
router(config)#ip access-list standard (name)
router(config-std-nacl)#deny - this line denies /24 from being translated to the internet. Will stop the host at the exiting infterface and will not reach the internet.
permit - this line is what tells the router to translate /16 out to the internet. This will translate an internal private IP address to an external routeable IP address onto the internet as number)
router(config)#ip nat inside source list NAME int (external interface) overload - adding overload adds the port number to the external IP.
router#show ip nat translations will show your nat translations
NAT Overload - Internal IP to external IP+port (commonly called PAT)
EX:<[random]5634 (d)> goes out WAN interface (ip, and a NAT session is created and entered from t, it is overloaded to <>, packets from come back as <>
example(this is not a real translation table):
Web Browser checks
Inside Source _ _ _ _ _ _ _ | _ _ _ _ Outside Source _ _ _ _ _ | _ _ _ _Destination _ _ _
____________________________|__________________________________|_________________________ - - - - -|- - - - - - - - - | - - -
[HOST] [WAN] []
A reply FROM
Inside Destin _ _ _ _ _ _ _ | _ _ _ _ Outside Source _ _ _ _ _ | _ _ _ _Destination _ _ _
____________________________|__________________________________|_________________________ - - - - | - - - - - - - -| - -
[HOST] [] [WAN]

Static NAT: Create 1 to 1 IP Mappings. 1 internal IP, to 1 external IP.
or, multiple internal IPs to one external IP with unique port numbers.
Used commonly for outside IPs to access your internal ips. 
(like a webserver for example)
router(config)#ip nat inside source static would be seen on the internet as
router(config)#ip nat inside source static tcp 80 WAN INTERFACE 80
any http requests (tcp 80) to would be forwarded to
port static nat mapping is the best way to use an IP address given to you by an ISP.
For large organizations that could use up all their ports:
router(config)#ip nat pool INTERNET_ADDRESS (list your public IP addresses) prefix-length
router(config)#ip nat inside source list WAN_FILTER pool INTERNET_ADDESSES overload
this allows all your hosts in the network to use and for their nat translations.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s