1. Manuals
  2. Brands
  3. Brocade Communications Systems Manuals
  4. Switch
  5. ServerIron ADX 12.4.00a
  6. Security manual

Using Acls And Nat On The Same Interface (Flow-Based Acls) - Brocade Communications Systems ServerIron ADX 12.4.00a Security Manual

Version 12.4.00a
Hide thumbs
Table of Contents

Advertisement

2

Using ACLs and NAT on the same interface (flow-based ACLs)

TABLE 5
ICMP message type
protocol-unreachable
reassembly-timeout
redirect
NOTE: This includes all redirects.
router-advertisement
router-solicitation
source-host-isolated
source-quench
source-route-failed
time-exceeded
timestamp-reply
timestamp-request
ttl-exceeded
unreachable
NOTE: This includes all unreachable messages
Using ACLs and NAT on the same interface (flow-based ACLs)
You can use ACLs and NAT on the same interface, as long as you follow these guidelines:
You can use a standard ACL to permit all traffic (including TCP, UDP, and ICMP traffic) or an
extended ACL with separate entries to explicitly permit TCP, UDP, and ICMP traffic.
NOTE
You do not need to apply ACLs to permit TCP, UDP, and ICMP traffic unless you are applying other
ACLs to the interface as well. If you do not plan to apply any ACLs to a NAT interface, then you do not
need to apply the ACLs to permit TCP, UDP, and ICMP traffic.
Here is an example of how to configure device to use ACLs and NAT on the same interfaces. In this
example, the inside NAT interface is port 1/1 and the outside NAT interface is port 2/2.
The following commands enable the strict TCP mode and configure an ACL to permit all traffic from
the 10.10.200.x sub-net. A second ACL denies traffic from a specific host on the Internet.
82
ICMP message types and codes
You must use the ip strict-acl-tcp command when configuring ACLs and NAT is configured on
the same Layer 2 Switch. (Refer to the instructions below on how to use this command.)
Do not enable NAT on an interface until you have applied ACLs (as described below) to the
interface. If NAT is already enabled, you must disable it, apply the ACLs, then re-enable NAT on
the interface.
Enable the strict TCP mode.
On the inside NAT interface (the one connected to the private addresses), apply inbound ACLs
that permit TCP, UDP, and ICMP traffic to enter the device from the private sub-net.
Type
Code
3
2
11
1
5
x
9
0
10
0
3
8
4
0
3
5
11
x
14
0
13
0
11
0
3
x
ServerIron ADX Security Guide
53-1002440-03

Advertisement

Table of Contents
loading

Related Manuals for Brocade Communications Systems ServerIron ADX 12.4.00a

Related Content for Brocade Communications Systems ServerIron ADX 12.4.00a

This manual is also suitable for:

Serveriron adx 1000Serveriron adx 4000Serveriron adx 8000Serveriron adx 10000

Table of Contents