02-05-2012 12:05 PM - edited 03-11-2019 03:24 PM
Hello
I have zone based firewall and policy between inside->outside and outside->inside.
I have also static nat sharing inside server for outside users:
ip nat inside source static inside_addr1 outside_addr1
i want to accept this traffic (initiated by outside users to this server)
1. What is the order of operation ?
2. in policy outside->inside i should accept traffic to inside_addr1 or outside_addr1 ?
(in ASA i could accept inside_addr1 right now - what about IOS ? - maybe it accepts both of the addresses ?)
Thanx
Solved! Go to Solution.
02-05-2012 10:12 PM
Hello....
Nat goes first!! So you should accept the traffic from the outside public ip address to your private ip address.
This will answer your question.
Regards,
Julio
02-06-2012 08:21 AM
Ohhh, That is something documented on the Zone based firewall configuration, you should not use ACLs and Zone based firewall at the same time. But, regarding your question, first goes ACL, then NAT then Firewall, but Again, ACLS and Zone based are not meant to be together.
Mike
02-05-2012 10:12 PM
Hello....
Nat goes first!! So you should accept the traffic from the outside public ip address to your private ip address.
This will answer your question.
Regards,
Julio
02-05-2012 11:16 PM
You are right - that works, but according to http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
NAT is after input access-list. So why does router accept traffic initiated from outside to private ip address ?
Why input ACL does not drop this traffic ?
Does ZBF change anything ?
Let's assume scenario that we do not have ZBF. Just static NAT and ACL on outside interface. In such case on outside interface ACL would need to accept traffic tu public (not private) address. Why with ZBF this logic changes ?
Thanx
02-06-2012 08:21 AM
Ohhh, That is something documented on the Zone based firewall configuration, you should not use ACLs and Zone based firewall at the same time. But, regarding your question, first goes ACL, then NAT then Firewall, but Again, ACLS and Zone based are not meant to be together.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide