09-02-2003 07:02 PM - edited 03-09-2019 04:38 AM
I'm using IOS IDS to audit an outside interface and the IDS messages show post-NAT destination address. Shouldn't IDS messages show the pre-NAT destination IP address instead?
The same challenge expressed another way; I'm seeking confirmation whether inside source NAT should occur before the IDS audits traffic coming though the outside interface? (IOS IDS in a 3745 with 12.2.13)
Here's the example config;
interface FastEthernet0/0
ip nat outside
ip audit IDS-AUDIT in
interface FastEthernet0/1
ip nat inside
ip nat inside source static
So far as I've understood, packets that travel from outside to inside are translated then routed. Packets that travel from inside to outside are routed then translated. Since IDS messages (for intercepted traffic) show the translated address as the destination and not the pre-NAT dest address it's apparent that inbound traffic gets NAT'd before IDS inspects, before routing?
Many thanks to anyone that can get their mind around this enough to offer a suggestion or reply :)
Solved! Go to Solution.
09-02-2003 09:02 PM
09-02-2003 09:02 PM
09-02-2003 10:34 PM
Many thanks for your note Yusuf. The reference is excellent. From the reference, I interpret the function of the IOS IDS as "TCP intercept". This confirms that in our case (IDS auditing traffic from outside to inside), the NAT comes first and our router is behaving as intended.
Thanks again. Regards, Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: