Filter traffic with Access Control Lists and translate private addresses with NAT — two configs you’ll write on almost every router and firewall.
Why: an Access Control List is an ordered list of permit/deny rules that filters packets by address, protocol, and port — the fundamental tool for controlling who can talk to what. When: apply ACLs to secure segments, restrict management access, and enforce policy. Where: order matters (first match wins) and there is an implicit "deny all" at the end, so a rule with no permit blocks everything.
! Extended ACL: allow web to a server, allow established replies, deny the rest.
R1(config)# ip access-list extended WEB_ONLY
R1(config-ext-nacl)# permit tcp any host 192.168.10.5 eq 443
R1(config-ext-nacl)# permit tcp any host 192.168.10.5 eq 80
R1(config-ext-nacl)# deny ip any any log ! explicit deny (logs hits)
! Apply it to an interface, in a direction:
R1(config)# interface Gig0/0
R1(config-if)# ip access-group WEB_ONLY inWhy: standard ACLs match only the source address (blunt, placed near the destination), while extended ACLs match source, destination, protocol, and port (precise, placed near the source) — choosing wrong wastes bandwidth or over-blocks. When: use extended ACLs for almost everything real; standard only for simple source-based filtering. Where: place extended ACLs close to the source to drop unwanted traffic early.
STANDARD (1-99) matches SOURCE only place near DESTINATION
access-list 10 permit 192.168.10.0 0.0.0.255
EXTENDED (100-199) source+dest+proto+port place near SOURCE
permit tcp 192.168.10.0 0.0.0.255 any eq 443
Wildcard mask is the INVERSE of the subnet mask: /24 -> 0.0.0.255.Why: NAT and ACLs almost always appear together on an edge router — the ACL selects which inside addresses get translated, and NAT overload (PAT) shares one public IP for internet access (covered in depth in the Subnetting course). When: configure PAT so the LAN reaches the internet through the outside interface. Where: verify the live translations to confirm it is working.
R1(config)# interface Gig0/1
R1(config-if)# ip nat inside
R1(config)# interface Gig0/0
R1(config-if)# ip nat outside
R1(config)# access-list 1 permit 192.168.10.0 0.0.0.255
R1(config)# ip nat inside source list 1 interface Gig0/0 overload
R1# show ip nat translations