More of technical question - Why Does NAT Work Even Though Got ACL To Block Incoming Traffic

This is more of a general networking question.
I configure ip nat out on the external interface.
I also configure acl to prevent traffic coming in that external interface.
Users can goto internet which means NAT is working.


  • Options

    Because the incomming traffic is initiated from the inside interface and not the external.

  • Options

    "incomming traffic is initiated from the inside interface".
    Sorry can you explain this?
    I thought the ACL will block traffic regardless of where it is initiated?

  • Options

    Well, if it should block all incomming traffic, then reply packets from the inside initiated sessions would not get through and nothing would work.
    A simpel 3 way handshake would not work.

  • Options

    Presumably your Deny policy has From: Any-external, which allows packets from whatever is connected to the external interface - usually the Internet.

    Also, reply packets are automatically allowed.

Sign In to comment.