Cisco Firewall NAT first or process the rules first

Unanswered Question

Hi All,

I've been thinking about this qn as i'm quite confised with it with other firewall such as cyberguard TSP.

Does ASA/PIX perform NAT first then the rules or vice versa. From the cert studies material. It seems to be Rules first then NAT. An exam ple will be outside public having access into ur internal host using the public IP (NAT ip of the internal host)

For the Cyberguard TSP, its the other way, it NAT first then process the rules. the rules i have configure and work for public to access my internal host is like "allow public_ip_address to private_ip_address usin_the_tcp_port"

Please help to answer my query,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Fri, 04/11/2008 - 06:36

ACL then nat. Take the following example.

access-list outside_access_in extended permit tcp any host x.x.x.x eq www

static (inside,outside) x.x.x.x y.y.y.y netmask

If it were the other way around, you would specify y.y.y.y in your acl.

Here's a good doc...


This Discussion