Cisco
352-001 · Question #185
352-001 Question #185: Real Exam Question with Answer & Explanation
The correct answer is A: inside local. An ACL applied inbound on the inside (trusted) interface of a NAT gateway evaluates packets before address translation occurs, so the source address seen by the ACL is the private inside local address of the originating host.
Question
Your network operations team is deploying Access Control Lists (ACLs) across your Internet gateways. They wish to place an ACL inbound on the Internet gateway interface facing the core network (the "trusted" interface). Which one of these addresses would the ACL need for traffic sourced from the inside interface, to match the source address of the traffic?
Options
- Ainside local
- Boutside local
- Cinside global
- Doutside global
Explanation
An ACL applied inbound on the inside (trusted) interface of a NAT gateway evaluates packets before address translation occurs, so the source address seen by the ACL is the private inside local address of the originating host.
Common mistakes.
- B. The outside local address is the IP address of an external host as seen from the inside network, which is the destination address of outbound traffic - not the source address of traffic originating from inside hosts.
- C. The inside global address is the translated public IP representing an inside host as seen from the outside; this address only exists after NAT translation has been applied, which has not yet occurred when an inbound ACL on the inside interface is evaluated.
- D. The outside global address is the IP address of an external host as seen from outside the network and has no relevance as the source address of traffic originating from internal hosts traversing the inside interface.
Concept tested. NAT inside local address and inbound ACL placement order
Reference. https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/8605-13.html
Community Discussion
No community discussion yet for this question.