Solved: NAT + ACL order

keller.oliver · ‎10-29-2007

Without NAT, the order is easy :

1. Incoming ACL

2. Routing Process

3. Outgoing ACL

At what step does the "average source NAT" take place ?

Scenario : A typical SOHO where you would translate a complete LAN to a single public IP (inside global) on your WAN Interface.

Is it before the Incoming ACL, i.e. step 0 ? Or is it after the Incoming ACL, i.e. step "1.5" ?

For example, if you want to filter traffic by the source address, any outgoing ACL on the WAN interface would have to use the already translated address. So far, so good. But what about the Incoming ACL on the LAN interface ? Will it have to match the non-translated source addresses or the translated addresses ?

Thanks in advance,

Oliver

Jon Marshall · ‎10-29-2007

Hi Oliver

It depends on whether the traffic is going from outside to inside or from inside to outside. Have a look at the attached docuement. Hopefully it will answer your questions.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

HTH

Jon

View solution in original post

Jon Marshall · ‎10-29-2007

Hi Oliver

It depends on whether the traffic is going from outside to inside or from inside to outside. Have a look at the attached docuement. Hopefully it will answer your questions.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

HTH

Jon

keller.oliver · ‎10-29-2007

Thanks Jon, exactly the answer I was looking for.

Later,

Oliver