Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Mats2208/MCP-Packet-Tracer/llms.txt

Use this file to discover all available pages before exploring further.

After a topology is deployed into Packet Tracer, you can continue modifying live routers without redeploying the entire topology. The pt_apply_acl and pt_apply_nat tools send configureIosDevice commands through the HTTP bridge at port 54321, applying access control lists and NAT translations to routers that are already running in the canvas. These tools work independently of pt_live_deploy — they can target any existing device by name.
pt_apply_acl and pt_apply_nat require the HTTP bridge to be active. Run the PTBuilder bootstrap snippet in Cisco Packet Tracer’s Builder Code Editor before calling these tools. Use pt_bridge_status to verify connectivity.

Access Control Lists (ACL)

ACL Types

MCP Packet Tracer supports all three IOS ACL variants. Choose the type based on how granular your filtering needs to be.
TypeNumber RangeFilters OnWhen to Use
standard1–99Source IP onlySimple traffic blocking by origin subnet or host
extended100–199Source + Destination + Protocol + PortsFine-grained rules: block HTTP to a server, permit ICMP only
namedAny stringSource + Destination + Protocol + PortsHuman-readable identifiers; easier to edit in IOS

Applying an ACL

The pt_apply_acl tool accepts an ACLPlan describing the router, ACL identifier, type, and a list of entries, plus an optional binding that attaches the ACL to a specific interface and direction. Example — extended ACL blocking HTTP from LAN to a server: 
pt_apply_acl(
    router="R1",
    name_or_number="101",
    acl_type="extended",
    entries=[
        {
            "action": "deny",
            "protocol": "tcp",
            "source": "192.168.0.0 0.0.0.255",
            "destination": "host 192.168.1.100",
            "dest_port_op": "eq",
            "dest_port": 80
        },
        {
            "action": "permit",
            "protocol": "ip",
            "source": "any",
            "destination": "any"
        }
    ],
    binding_interface="GigabitEthernet0/0",
    binding_direction="in"
)
IOS commands generated and sent to Packet Tracer: 
enable
configure terminal
access-list 101 deny tcp 192.168.0.0 0.0.0.255 host 192.168.1.100 eq 80
access-list 101 permit ip any any
interface GigabitEthernet0/0
 ip access-group 101 in
 exit
end
write memory

Validation Rules

Before sending any commands, pt_apply_acl validates:
  • Number ranges — standard ACLs must be 1–99, extended must be 100–199
  • Wildcard masks — must be valid bitwise inverses of subnet masks
  • Protocol/port coherence — port operators (eq, lt, gt, range) are only valid for tcp and udp; ICMP types only apply to icmp
  • Unreachable rules — entries after an permit ip any any or deny ip any any that will never match are flagged

Object API Variants

In addition to the CLI-based tools above, MCP Packet Tracer provides two Object API variants that drive Packet Tracer’s AclProcess JavaScript API directly instead of sending IOS access-list commands through configureIosDevice. These are useful when working with the live bridge in environments where CLI passthrough is unavailable or unreliable.
  • pt_apply_acl_object — applies an ACL using the Object API (AclProcess JS API)
  • pt_remove_acl_object — removes an ACL using the Object API
See the ACL tool reference for full parameter details on all four ACL tools.

Removing an ACL

pt_remove_acl removes the ACL definition and, optionally, its interface binding. 
pt_remove_acl(
    router="R1",
    name_or_number="101",
    binding_interface="GigabitEthernet0/0",
    binding_direction="in"
)
Generated commands: 
enable
configure terminal
interface GigabitEthernet0/0
 no ip access-group 101 in
 exit
no access-list 101
end
write memory

NAT and PAT

NAT Modes

Three NAT modes map directly to the three IOS NAT variants taught in CCNA.
ModeKeyWhen to Use
Static NATstaticServers that need a fixed public IP (web, FTP, mail)
Dynamic NATdynamicPool of public IPs assigned on demand; rare in modern networks
PAT (overload)patMany private IPs share one public IP via port numbers

Applying PAT (Most Common)

PAT with use_interface_overload=True is the typical home and enterprise scenario — the outside interface’s IP is used directly, so no pool is needed. pt_apply_nat takes flat individual parameters: 
pt_apply_nat(
    router="R1",
    mode="pat",
    inside_interface="GigabitEthernet0/0",
    outside_interface="GigabitEthernet0/1",
    acl_number="1",
    inside_networks=["192.168.0.0 0.0.0.255"],
    use_interface_overload=True
)
IOS commands generated and sent to Packet Tracer: 
enable
configure terminal
interface GigabitEthernet0/0
 ip nat inside
 exit
interface GigabitEthernet0/1
 ip nat outside
 exit
access-list 1 permit 192.168.0.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload
end
write memory

Applying Static NAT

Static NAT maps individual private IPs to fixed public IPs with a 1:1 relationship. 
pt_apply_nat(
    router="R1",
    mode="static",
    inside_interface="GigabitEthernet0/0",
    outside_interface="GigabitEthernet0/1",
    static_mappings=[
        {"inside_local": "192.168.0.10", "inside_global": "200.1.1.5"}
    ]
)
Generated commands: 
interface GigabitEthernet0/0
 ip nat inside
 exit
interface GigabitEthernet0/1
 ip nat outside
 exit
ip nat inside source static 192.168.0.10 200.1.1.5

Applying Dynamic NAT (Pool)

Dynamic NAT assigns public IPs from a pool on demand. Pass pool parameters as individual fields: 
pt_apply_nat(
    router="R1",
    mode="dynamic",
    inside_interface="GigabitEthernet0/0",
    outside_interface="GigabitEthernet0/1",
    acl_number="1",
    inside_networks=["192.168.0.0 0.0.0.255"],
    pool_name="NAT-POOL",
    pool_start="200.1.1.1",
    pool_end="200.1.1.10",
    pool_netmask="255.255.255.0"
)
Generated commands: 
access-list 1 permit 192.168.0.0 0.0.0.255
ip nat pool NAT-POOL 200.1.1.1 200.1.1.10 netmask 255.255.255.0
ip nat inside source list 1 pool NAT-POOL

Removing NAT

pt_remove_nat removes all NAT rules, the pool, the ACL, and the inside/outside interface markings. 
pt_remove_nat(
    router="R1",
    mode="pat",
    inside_interface="GigabitEthernet0/0",
    outside_interface="GigabitEthernet0/1",
    acl_number="1"
)
Generated commands: 
enable
configure terminal
interface GigabitEthernet0/0
 no ip nat inside
 exit
interface GigabitEthernet0/1
 no ip nat outside
 exit
no ip nat inside source list 1 interface GigabitEthernet0/1 overload
no access-list 1
end
write memory
Use pt_bridge_status before calling pt_apply_acl or pt_apply_nat to confirm the bridge is polling. If the bridge is down, commands are queued but not executed until PTBuilder reconnects.

Build docs developers (and LLMs) love

Get started for freeTalk to us