Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ZBF + NAT - order of operation

Hello

I have zone based firewall and policy between inside->outside and outside->inside.

I have also static nat sharing inside server for outside users:

ip nat inside source static inside_addr1 outside_addr1

i want to accept this traffic (initiated by outside users to this server)

1. What is the order of operation ?

2. in policy outside->inside i should accept traffic to inside_addr1 or outside_addr1 ?

(in ASA i could accept inside_addr1 right now - what about IOS ? - maybe it accepts both of the addresses ?)

Thanx

2 ACCEPTED SOLUTIONS

Accepted Solutions

ZBF + NAT - order of operation

Hello....

Nat goes first!! So you should accept the traffic from the outside public ip address to your private ip address.

This will answer your question.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
Cisco Employee

ZBF + NAT - order of operation

Ohhh, That is something documented on the Zone based firewall configuration, you should not use ACLs and Zone based firewall at the same time. But, regarding your question, first goes ACL, then NAT then Firewall, but Again, ACLS and Zone based are not meant to be together.

Mike

Mike
3 REPLIES

ZBF + NAT - order of operation

Hello....

Nat goes first!! So you should accept the traffic from the outside public ip address to your private ip address.

This will answer your question.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ZBF + NAT - order of operation

You are right - that works, but according to http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

NAT is after input access-list. So why does router accept traffic initiated from outside to private ip address ?

Why input ACL does not drop this traffic ?

Does ZBF change anything ?

Let's assume scenario that we do not have ZBF. Just static NAT and ACL on outside interface. In such case on outside interface ACL would need to accept traffic tu public (not private) address. Why with ZBF this logic changes ?

Thanx

Cisco Employee

ZBF + NAT - order of operation

Ohhh, That is something documented on the Zone based firewall configuration, you should not use ACLs and Zone based firewall at the same time. But, regarding your question, first goes ACL, then NAT then Firewall, but Again, ACLS and Zone based are not meant to be together.

Mike

Mike
2862
Views
0
Helpful
3
Replies