Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
270
Views
0
Helpful
2
Replies

Does NAT get sequenced before IDS audit before routing?

Go to solution
jonriley
Level 1
Level 1

‎09-02-2003 07:02 PM - edited ‎03-09-2019 04:38 AM

I'm using IOS IDS to audit an outside interface and the IDS messages show post-NAT destination address. Shouldn't IDS messages show the pre-NAT destination IP address instead?

The same challenge expressed another way; I'm seeking confirmation whether inside source NAT should occur before the IDS audits traffic coming though the outside interface? (IOS IDS in a 3745 with 12.2.13)

Here's the example config;

interface FastEthernet0/0

ip nat outside

ip audit IDS-AUDIT in

interface FastEthernet0/1

ip nat inside

ip nat inside source static

So far as I've understood, packets that travel from outside to inside are translated then routed. Packets that travel from inside to outside are routed then translated. Since IDS messages (for intercepted traffic) show the translated address as the destination and not the pre-NAT dest address it's apparent that inbound traffic gets NAT'd before IDS inspects, before routing?

Many thanks to anyone that can get their mind around this enough to offer a suggestion or reply :)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yusuff
Cisco Employee
Cisco Employee

‎09-02-2003 09:02 PM

this should answer your query;

http://www.cisco.com/warp/public/556/5.html

Regards

Yusuf

View solution in original post

0 Helpful
2 Replies 2

Go to solution
yusuff
Cisco Employee
Cisco Employee

‎09-02-2003 09:02 PM

this should answer your query;

http://www.cisco.com/warp/public/556/5.html

Regards

Yusuf

0 Helpful

Go to solution
jonriley
Level 1
Level 1
In response to yusuff

‎09-02-2003 10:34 PM

Many thanks for your note Yusuf. The reference is excellent. From the reference, I interpret the function of the IOS IDS as "TCP intercept". This confirms that in our case (IDS auditing traffic from outside to inside), the NAT comes first and our router is behaving as intended.

Thanks again. Regards, Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents