Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ZBF and NAT

Hello.

as I studied,  Interface ACLs and Zone based Firewall should not be applied at the same time. This it means that every packet is processed by the router (I'm thinking NAT).

For example, an unwanted traffic is processed by NAT before is it drop by ZBF. Do you think is it optimal ?

2 REPLIES
New Member

ZBF and NAT

Hi,

It is not something to be optimal or not. Packets processed by Zone-Based are either fast switched or processed switched so that's probably why NAT is processed before the Zone-based Firewall.

On the other hand inbound ACLs (if no further processing is necessary for other features) are processed by CEF so the packets don't go to the router's CPU and are processed before NAT.

I hope it makes sense.

New Member

Re: ZBF and NAT

Hi,

what you said is logical and correct point of view for packet processing; but what do you think about firewall processing ?

I don't understand why an unwanted packet have to be processed by Nat before drop it

ASA behavior is a little bit different, it use real ip address but interface ACL is still used for block packet before other process.

Regard,

Sent from Cisco Technical Support iPad App

320
Views
0
Helpful
2
Replies
CreatePlease to create content