they must be implemented at each ingress point for a protected destination. Implementing the standard access list as close to the protected destination as possible reduces the total number of access lists required. Numbered standard access lists can be used for filtering traffic being forwarded or received by a router or switch. Numbered standard access lists use the number ranges 1-99 and 1300-1999. Named standard ACLs have the same capabilities and limitations as numbered standard ACLs. The main advantage of a named ACL is better documentation, as the ACL can be named according to its purpose. One significant disadvantage is that other processes, such as SNMP security, cannot reference named standard ACLs. Figure shows the command syntax for creating numbered standard access lists. Figure shows the command syntax for creating named standard access lists.

Content 6.1 Characteristics of Transport Layer Technologies 6.1.5 Extended access control lists Standard IP access lists can permit or deny packets based only on the source IP address of the packet. Extended access lists have more features and can be used to target very specific traffic based on any combination of the following:

Source address
Destination address
Source port
Destination port

Extended access lists can also be used to filter ICMP traffic based on ICMP type and code. Because extended access lists can filter on destination address, they should be implemented as close as possible to the source of the traffic being filtered, typically at the edge of an organization's network. This enables traffic to be examined and filtered before crossing expensive and congested WAN links within the organization. Numbered extended access lists are primarily used to filter traffic being forwarded through a router and can be configured to use the number ranges 100-199 and 2000-2699. Named extended access lists are also primarily used to filter traffic being forwarded through a router and are often used to provide better documentation of the configuration on the router. Figure shows the command syntax to create a numbered extended access list. Figure shows the command syntax to create a named extended access list.

Content 6.1 Characteristics of Transport Layer Technologies 6.1.6 Static IP Network Address Translation ‘The IP Network Address Translator’ is a technology defined in RFC 1631 that allows one group of addresses to be represented by another group of addresses. NAT is technically a network layer technology, but has some features that extend into the transport layer. As IPv4 started to run out of addresses, several measures were developed to alleviate the pressure. One of these measures was the introduction of reserved private network address spaces in RFC 1918. This RFC reserves three address spaces which are not recognized or routed by the Internet and can be re-used by networks which do not need to connect to other networks or to the Internet. Internet core routers are configured to drop any packets either sourced from or destined to an address in any of these reserved address spaces. The three address spaces reserved by RFC 1918 are shown in Figure . NAT is a process which allows networks originally configured with one of these reserved address spaces to connect to other privately addressed networks and to the Internet without having to re-address the internal network. NAT is normally an additional process that is run on routers operating on the boundary between two discrete networks. NAT works, either statically or dynamically, by using a table of IP addresses to re-write the addressing information in an IP packet header. In its simplest form, the network engineer manually builds the NAT table. The table has addresses used inside the network mapped to addresses used outside the network. Each table entry represents a single host inside the network. The following process shows the operation of NAT:

User at host 10.4.1.1 opens a connection to host B.
The first packet that the router receives from 10.4.1.1 causes the router to check its NAT table. A translation is found because it has been statically configured.
The router replaces the inside local IP address 10.4.1.1 with the selected inside global address (2.2.2.2) and forwards the packet.
Host B receives the packet and responds to 10.4.1.1 using the inside global IP address 2.2.2.2.
When the router receives the packet with the inside global IP address of 2.2.2.2, the router performs a NAT table lookup using the inside global address as the reference. The router then translates the address back to 10.4.1.1 and forwards the packet to the host.
The host with the 10.4.1.1 address receives the packet and continues the conversation.

Content 6.1 Characteristics of Transport Layer Technologies 6.1.7 Dynamic IP Network Address Translation NAT can be configured in a number of ways:

Static table entries
Dynamic table entries

Static tables are manually defined by a network engineer and traditionally define a one-to-one mapping between inside and outside IP addresses so that only the IP address portion of the packet header is altered. Static NAT has the benefit of offering both connectivity and security because hosts on either side of the NAT router cannot communicate if the administrator has not defined an appropriate NAT table entry. The main disadvantage of static NAT is that it requires one outside address for each inside address that needs to be translated. Because it is unlikely that all of the inside hosts will need to communicate through the NAT router at the same time, static NAT wastes precious outside addresses. Another significant disadvantage of static NAT is that it is must be manually administered. Manual administration of a NAT table can be difficult for a small network and is likely to be impossible for a large network. Dynamic NAT has neither of the problems associated with static NAT. Dynamic NAT creates entries in the NAT table as required and removes them after they have remained idle for a predefined period. Dynamic NAT allows a large number of inside hosts to share a small number of outside addresses. Dynamic NAT also offers greater security than static NAT, because unlike static NAT, entries in a dynamic NAT table are deleted after they have been idle for a short time. The main problem with dynamic NAT is that it can be more complex to troubleshoot as the mapping entries in the table change. Sometimes this results in intermittent symptoms and problems. Entries that fail to automatically expire from the NAT table also cause issues with network operation as they do not release outside addresses that would have otherwise become available. Dynamic NAT operates by examining the packets as they are processed for forwarding. If a suitable entry already exists in the NAT table, the timer for that entry is reset, the address of the packet is updated as appropriate, and the packet is forwarded. If the NAT table does not already have a suitable entry, the NAT process uses an address from the pool of available outside addresses to create a new entry before setting the expiration timer for the entry. It will then update the header of the packet with the new addressing information, and forward the packet. If all of the outside addresses are currently in use, the NAT process drops the packet and returns an error to the inside host. NAT with overload and Port Address Translation
Dynamic NAT also has a feature called overloading, or Port Address Translation. NAT without overloading operates at the network layer only, and only IP address information is substituted in packet headers. NAT with overloading extends the operation of NAT into the transport layer and UDP and TCP port numbers are included with entries in the NAT table. A significant consideration for implementing NAT with overload is that it can only be used for sessions from network clients. Servers hosting specific applications must