Does NAT get sequenced before IDS audit before routing?
I'm using IOS IDS to audit an outside interface and the IDS messages show post-NAT destination address. Shouldn't IDS messages show the pre-NAT destination IP address instead?
The same challenge expressed another way; I'm seeking confirmation whether inside source NAT should occur before the IDS audits traffic coming though the outside interface? (IOS IDS in a 3745 with 12.2.13)
Here's the example config;
ip nat outside
ip audit IDS-AUDIT in
ip nat inside
ip nat inside source static
So far as I've understood, packets that travel from outside to inside are translated then routed. Packets that travel from inside to outside are routed then translated. Since IDS messages (for intercepted traffic) show the translated address as the destination and not the pre-NAT dest address it's apparent that inbound traffic gets NAT'd before IDS inspects, before routing?
Many thanks to anyone that can get their mind around this enough to offer a suggestion or reply :)
Re: Does NAT get sequenced before IDS audit before routing?
Many thanks for your note Yusuf. The reference is excellent. From the reference, I interpret the function of the IOS IDS as "TCP intercept". This confirms that in our case (IDS auditing traffic from outside to inside), the NAT comes first and our router is behaving as intended.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...