NAT + ACL order

Answered Question
Oct 29th, 2007

Without NAT, the order is easy :

1. Incoming ACL

2. Routing Process

3. Outgoing ACL

At what step does the "average source NAT" take place ?

Scenario : A typical SOHO where you would translate a complete LAN to a single public IP (inside global) on your WAN Interface.

Is it before the Incoming ACL, i.e. step 0 ? Or is it after the Incoming ACL, i.e. step "1.5" ?

For example, if you want to filter traffic by the source address, any outgoing ACL on the WAN interface would have to use the already translated address. So far, so good. But what about the Incoming ACL on the LAN interface ? Will it have to match the non-translated source addresses or the translated addresses ?

Thanks in advance,


I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 12 months ago

Hi Oliver

It depends on whether the traffic is going from outside to inside or from inside to outside. Have a look at the attached docuement. Hopefully it will answer your questions.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)


This Discussion