Lesson 23 of 60 intermediate

Routing, NAT & ACLs

How traffic crosses boundaries

Open interactive version (quiz + challenge)

Real-world analogy

Routers are border officers. They check each packet’s destination, compare it against a map (routing table), decide which road to send it down, and sometimes rewrite the return address (NAT) before it leaves the country.

What is it?

Routing, NAT, and ACLs are the mechanisms that move packets across network boundaries and control what’s allowed. Even if you never configure a router in your first job, you must be able to read topology and firewall rules confidently.

Real-world relevance

A bank exposes an online banking portal via DNAT from 203.0.113.10:443 to 10.50.1.20:8443. An ACL allows only specific monitoring and admin subnets to reach the admin port. An auditor asks: ‘Why is this allowed?’ — and your firewall doc has the answer.

Key points

Routing table basics — A router (or host) picks the most specific matching route to a destination. Longest-prefix match wins. ‘Default route’ (0.0.0.0/0) is the catch-all when nothing else matches.
Static vs dynamic routing — Static: you write the routes manually (simple, brittle, fine for small networks). Dynamic: routers share routes using protocols like OSPF, EIGRP, BGP. Juniors should know the names; CCNA teaches the depth.
NAT in plain English — Network Address Translation lets many private IPs share one public IP. Your home router does it automatically (PAT/overload). Enterprises use NAT for internet access, DMZ services, and hiding internal structure.
Source NAT vs destination NAT — SNAT: change source IP on the way out (users reaching internet). DNAT: change destination IP on the way in (port-forward public:443 to internal web server). Both common in enterprise perimeters.
ACLs — the allow/deny list — Access Control Lists specify which packets are allowed or denied based on source/destination IP, port, protocol. Applied on interfaces (in/out). Order matters: first match wins. End with an implicit deny in most vendors.
Stateful firewall vs stateless ACL — A stateful firewall remembers outgoing flows and allows return traffic automatically. A stateless ACL matches every packet independently. Most enterprise firewalls are stateful; many router ACLs are stateless.
Common firewall mistakes — (1) Any-any-allow rules, (2) no logging, (3) duplicated rules, (4) obsolete rules for decommissioned apps, (5) broad source/destination scopes. Audits love finding these.
Route symmetry — Outbound and return traffic should take symmetric paths through firewalls (or firewalls must be state-synchronized). Asymmetric paths = random drops that look like ‘the firewall hates us.’

Code example

// Routing + NAT + ACL — reading view

Routing table (simplified):
  Destination       Next hop        Prefix
  0.0.0.0/0         203.0.113.1     default
  10.0.0.0/8        10.255.0.1      internal
  192.168.50.0/24   10.255.0.2      branch-A

NAT examples:
  SNAT: 10.0.0.0/8  -> 203.0.113.10  (for internet access)
  DNAT: 203.0.113.20:443 -> 10.50.1.20:8443  (publish portal)

ACL (top-down, first match wins):
  permit tcp 10.50.0.0/24 host 10.50.1.20 eq 8443
  permit tcp any host 203.0.113.20 eq 443
  deny   ip  any any log

Line-by-line walkthrough

1. Routing + NAT + ACL reading example
2. Routing table header
3. Destination / next hop / prefix columns
4. Default route line
5. Internal aggregation
6. Branch-A route
7. Blank separator
8. NAT examples header
9. SNAT for internet access
10. DNAT for portal publication
11. Blank separator
12. ACL header
13. Specific admin rule
14. Public portal rule
15. Implicit deny with logging

Spot the bug

Firewall:
  permit ip any any
  deny tcp any any eq 22

Need a hint?

Does the deny rule actually have any effect in this order?

Show answer

No. ACLs evaluate top-down with first-match-wins. ‘permit ip any any’ matches everything first, so the SSH deny is never reached. Reorder: deny specific rules first, then permits, then an explicit deny-with-log at the end.

Explain like I'm 5

Routing is deciding which road a letter should travel. NAT is swapping return addresses so replies come back to you. ACLs are the bouncer at the door — reading name tags and deciding who walks in.

Fun fact

BGP — the routing protocol that runs the public internet — has caused multiple global outages when misconfigured. In 2008 Pakistan accidentally took YouTube offline for hours by advertising a wrong BGP route.

Hands-on challenge

Draw a simple enterprise topology: internet → edge firewall → core switch → VLANs (users, servers, DMZ). Add SNAT for users, DNAT for a published portal, and 4 ACL rules with reasons. Have a friend critique it.

More resources

Routing basics (Cisco Learning) (Cisco Networking Academy)
NAT explained (Cloudflare Learning)
ACLs & Firewalls for beginners (Jeremy’s IT Lab)

Open interactive version (quiz + challenge) ← Back to course: IT Jobs Bootcamp