Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8527
Views
0
Helpful
3
Replies

ZBF + NAT - order of operation

Go to solution
mlopacinski
Level 1
Level 1

‎02-05-2012 12:05 PM - edited ‎03-11-2019 03:24 PM

Hello

I have zone based firewall and policy between inside->outside and outside->inside.

I have also static nat sharing inside server for outside users:

ip nat inside source static inside_addr1 outside_addr1

i want to accept this traffic (initiated by outside users to this server)

1. What is the order of operation ?

2. in policy outside->inside i should accept traffic to inside_addr1 or outside_addr1 ?

(in ASA i could accept inside_addr1 right now - what about IOS ? - maybe it accepts both of the addresses ?)

Thanx

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎02-05-2012 10:12 PM

Hello....

Nat goes first!! So you should accept the traffic from the outside public ip address to your private ip address.

This will answer your question.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to mlopacinski

‎02-06-2012 08:21 AM

Ohhh, That is something documented on the Zone based firewall configuration, you should not use ACLs and Zone based firewall at the same time. But, regarding your question, first goes ACL, then NAT then Firewall, but Again, ACLS and Zone based are not meant to be together.

Mike

Mike

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎02-05-2012 10:12 PM

Hello....

Nat goes first!! So you should accept the traffic from the outside public ip address to your private ip address.

This will answer your question.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mlopacinski
Level 1
Level 1
In response to Julio Carvajal

‎02-05-2012 11:16 PM

You are right - that works, but according to http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

NAT is after input access-list. So why does router accept traffic initiated from outside to private ip address ?

Why input ACL does not drop this traffic ?

Does ZBF change anything ?

Let's assume scenario that we do not have ZBF. Just static NAT and ACL on outside interface. In such case on outside interface ACL would need to accept traffic tu public (not private) address. Why with ZBF this logic changes ?

Thanx

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to mlopacinski

‎02-06-2012 08:21 AM

Ohhh, That is something documented on the Zone based firewall configuration, you should not use ACLs and Zone based firewall at the same time. But, regarding your question, first goes ACL, then NAT then Firewall, but Again, ACLS and Zone based are not meant to be together.

Mike

Mike
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card