Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
495
Views
0
Helpful
1
Replies

Cisco Firewall NAT first or process the rules first

smart5
Level 1
Level 1

‎04-11-2008 05:36 AM - edited ‎03-09-2019 08:30 PM

Hi All,

I've been thinking about this qn as i'm quite confised with it with other firewall such as cyberguard TSP.

Does ASA/PIX perform NAT first then the rules or vice versa. From the cert studies material. It seems to be Rules first then NAT. An exam ple will be outside public having access into ur internal host using the public IP (NAT ip of the internal host)

For the Cyberguard TSP, its the other way, it NAT first then process the rules. the rules i have configure and work for public to access my internal host is like "allow public_ip_address to private_ip_address usin_the_tcp_port"

Please help to answer my query,

Thanks

Labels:
0 Helpful
1 Reply 1

acomiskey
Level 10
Level 10

‎04-11-2008 06:36 AM

ACL then nat. Take the following example.

access-list outside_access_in extended permit tcp any host x.x.x.x eq www

static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255

If it were the other way around, you would specify y.y.y.y in your acl.

Here's a good doc...

http://www.cisco.com/warp/public/556/5.html

0 Helpful
Customers Also Viewed These Support Documents