I tested a simple reflexive ACL (allow all outgoing TCP/UDP/ICMP traffic, "reflecting" the traffic to an inbound ACL) on an 881 router that is also performing NAT on it's WAN (fa4) interface.
Given the Cisco NAT order of operation, I would expect that any RACLs showing up in a "show ip access-list" would only list the public IP of the router interface. I would not expect to see "private" (internal) IP addresses, as the order of operation for outbound traffic applies NAT prior to checking outbound access lists. Given the RACL is tied to the outbound of the WAN interface, I would expect it to only list the public IP in reflexive "inbound" ACLs.
However, on my test system there were several entries for internal IPs in the reflexive ACLs, including internal IPs as source addresses.
Is this a side-effect of NAT and RACL on the same interface? It almost appeared as if the ACL picked up post-NAT return traffic and acted upon it as if it were outbound traffic on the fa4 interface.
Will try to get some clean captures later, but wanted to throw this out to see if I'm missing something grossly easy.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...