Blocking ports when using NAT

[JohnWhorfin]

For the record I do not fully understand NAT. Basically I don't quite understand how to use ACLs with NAT or if it is even needed.

To the point, we are running NAT on our 2600 router so everyone can access the internet using one IP address. I think it is called overload NAT.

Normally you want to use ACLs to block all ports save the ones needed for the internet. Does this still apply when using NAT? And if so, how does one go about doing this? Must I make the ACL block the ports on the single IP that NAT is using?
So if we are using 65.54.210.55 as our NAT, would I then just allow only 80, 443, etc.. on that IP address for incoming and outgoing or established connections? I would not block the ports on our internal IP address, because this would have no effect correct?

Essentially our external IP address seems to be what our NAT is, unless I do not understand how it is working. Meaning what our companies external IP address is, is also what my IP address lists at when browsing.

Hope I am explaing this right. Thanks in advance

 

[lgarner]

You're translating all internal addresses to a single outside address by translating the source ports of outbound connections.

For example: inside:5508->public:80 becomes outside:51234->public:80

Then, the router translates reply to outside->51234 back to inside:5508.

Unsolicited inbound traffic will simply go to the router since it doesn't know what to do with it. Only established connections are allowed anyway. An ACL would protect the router itself, though.

ACLs on inside interfaces do have an effect- they control traffic into or out of that interface. If you want to prevent users from sending mail to the internet, then the inside interface is the place to do it with an inbound ACL blocking port 25.