Re: Difference between NAT and Reflexive ACls

From: Huan Pham (pnhuan@yahoo.com)
Date: Tue Nov 25 2008 - 09:31:09 ARST

• Next message: Roger RPF: "AW: time-range command"
• Previous message: Ajay mehra: "time-range command"
• Maybe in reply to: Ajay mehra: "Difference between NAT and Reflexive ACls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

"Allow access to a server located at 10.4.4.100; outside users should be able to connect to this server using IP address 204.12.X.100"

Does this imply directly that you need to use NAT instead of Reflexive ACL ?

The difference between NAT and Reflesive ACL is that NAT does ... what it stands for...i.e. (Network) Address Translation. Reflexive ACL does not!

They are very similar in terms of security.

--- On Tue, 11/25/08, Ajay mehra <ajaymehra01@gmail.com> wrote:

> From: Ajay mehra <ajaymehra01@gmail.com>
> Subject: Difference between NAT and Reflexive ACls
> To: "ccielab@groupstudy.com" <ccielab@groupstudy.com>
> Date: Tuesday, November 25, 2008, 9:43 PM
> Hi,
>
> I got this doubt while doing lab 5 form IE WB. Is there any
> difference
> between NAT and Reflexive acls with respect to below
> question? I was sure
> that I do not need 'nat' at all in this case.
>
> Question says:
>
> After recent security issues related to servers located in
> VLAN 4 a new
> corporate policy dictates that R4 be hardened according to
> the following
> requirements:
>
> Treat R4's interface E0/0 as the outside interface and
> all other interfaces
> as inside
>
> Disable CDP on the outside interface
>
> Drop packets that are source routed
>
> TCP or UDP sessions that were initiated from behind R4
> should be permitted
> inbound from the outside
>
> Allow access to a server located at 10.4.4.100; outside
> users should be able
> to connect to this server using IP address 204.12.X.100
>
>
>
> All of my config was good and working except the solution
> guide enables nat
> on inside and outside interfaces. I am not sure what
> specific requirement
> calls for enabling NAT when I have reflexive acls enabled
> and which would
> make sure that I do not except any traffic from the outside
> except permitted
> explicitly.
>
>
>
> Can you please clarify?
>
>
>
> Thanks,
>
> Ajay
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Roger RPF: "AW: time-range command"
• Previous message: Ajay mehra: "time-range command"
• Maybe in reply to: Ajay mehra: "Difference between NAT and Reflexive ACls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:32 ARST