Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

101

102

103

104

105

106

107

108

109

110

ServerIron ADX NAT64 Configuration Guide 95

53-1002444-02

Using flow-based ACLs and NAT on the same interface

DRAFT: BROCADE CONFIDENTIAL

Using flow-based ACLs and NAT on the same interface

You can use ACLs and NAT on the same interface, as long as you follow these guidelines:

• You must use the ip strict-acl-tcp command when configuring ACLs and NAT is configured on

the same Layer 2 Switch. (Refer to the instructions below on how to use this command.)

• Do not enable NAT on an interface until you have applied ACLs (as described below) to the

interface. If NAT is already enabled, you must disable it, apply the ACLs, then re-enable NAT on

the interface.

• Enable the strict TCP mode.

• On the inside NAT interface (the one connected to the private addresses), apply inbound ACLs

that permit TCP, UDP, and ICMP traffic to enter the device from the private subnet.

You can use a standard ACL to permit all traffic (including TCP, UDP, and ICMP traffic) or an

extended ACL with separate entries to explicit ly p e r m i t TCP, UDP, and ICMP traf fic.

NOTE

You do not need to apply ACLs to permit TCP, UDP, and ICMP traffic unless you are applying other

ACLs to the interface as well. If you do not plan to apply any ACLs to a NAT interface, then you do not

need to apply the ACLs to permit TCP, UDP, and ICMP traffic.

Here is an example of how to configure device to use ACLs and NAT on the same interfaces. In this

example, the inside NAT interface is port 1/1 and the outside NAT interface is port 2/2.

The following commands enable the strict TCP mode and configure an ACL to permit all traffic from

the 10.10.200.x subnet. A second ACL denies traffic from a specific host on the Internet.

ServerIronADX(config)# ip strict-acl-tcp

ServerIronADX(config)# access-list 1 permit 10.10.200.0 0.0.0.255

ServerIronADX(config)# access-list 2 deny 209.157.2.184

The following commands configure global NAT parameters.

ServerIronADX(config)# ip nat inside source list 1 pool outadds overload

ServerIronADX(config)# ip nat pool outadds 204.168.2.1 204.168.2.254 netmask

255.255.255.0

The following commands configure the inside and outside NAT interfaces. Notice that the ACLs are

applied to the inbound direction on the inside NAT interface, and are applied before NAT is enabled.

In this example, ACL 1 permits all traffic to come into the inside interface from the private subnet.

ACL 2 denies traffic from a specific host from going out the interface to the private subnet.

ServerIronADX(config)# interface ethernet 1/1

ServerIronADX(config-if-1/1)# ip address 10.10.200.1 255.255.255.0

ServerIronADX(config-if-1/1)# ip access-group 1 in

ServerIronADX(config-if-1/1)# ip nat inside

ServerIronADX(config-if-1/1)# interface ethernet 2/2

ServerIronADX(config-if-2/2)# ip address 204.168.2.78 255.255.255.0

ServerIronADX(config-if-2/2)# ip nat outside

NOTE

Enter the ip rebind-acl command at the global CONFIG level of the CLI to place the ip strict-acl-tcp

command into effect.