Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Reflexive ACLs with NAT

I tested a simple reflexive ACL (allow all outgoing TCP/UDP/ICMP traffic, "reflecting" the traffic to an inbound ACL) on an 881 router that is also performing NAT on it's WAN (fa4) interface.

Given the Cisco NAT order of operation, I would expect that any RACLs showing up in a "show ip access-list" would only list the public IP of the router interface.  I would not expect to see "private" (internal) IP addresses, as the order of operation for outbound traffic applies NAT prior to checking outbound access lists.  Given the RACL is tied to the outbound of the WAN interface, I would expect it to only list the public IP in reflexive "inbound" ACLs.

However, on my test system there were several entries for internal IPs in the reflexive ACLs, including internal IPs as source addresses.

Is this a side-effect of NAT and RACL on the same interface?   It almost appeared as if the ACL picked up post-NAT return traffic and acted upon it as if it were outbound traffic on the fa4 interface.

Will try to get some clean captures later, but wanted to throw this out to see if I'm missing something grossly easy.

Thank you,


Everyone's tags (3)
CreatePlease to create content