Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Order of operation

Hello,

Does PIX perform NAT on source addresses before or after egress ACL ?

Thanks in advance,

Emek

4 REPLIES

Re: Order of operation

PIX always looks at translation rules first, then looks at access-lists. Only if there is a translation rule (ie NAT or static) for the packet is it forwarded to the acl to see if the packet is allowed through. Therefore the packet must pass both translation rules and acl rules before it is forwarded.

Hope it helps.

Steve

New Member

Re: Order of operation

Thanks.

So ACL rules of outgoing sessions should be based on NATed addresses in oppose to origin addresses ?

Emek

Re: Order of operation

In the PIX, acls can only be applied inbound. If you want outbound filtering you could use the "outbound" command (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/mr.htm#xtocid9 ).

If you apply your acl inbound on your inside interface the IP in the acl would be your internal IPs. The PIX will check to make sure there is a NAT command that matches those IPs, then it will be passed to your acl. So it will check that a translation rule exists, compare the packet to your acl, then perform NAT.

eg access-list inside_access_internet permit tcp host 10.10.10.10 any eq 80

nat (inside) 1 10.10.10.0 255.255.255.0

global (outside) 1 interface (or global (outside) 1 209.165.202.128 netmask 255.255.255.224)

access-group inside_access_internet in interface inside

If you apply the acl inbound on your external interface, it will check to make sure the inbound connection has a translation rule (either static or a dynamic translation) and then will pass the packet to the acl and then perform NAT.

eg access-list internet_access_int permit tcp any 200.200.200.200 any eq 80

static (inside,outside) 200.200.200.200 10.10.10.10 netmask 255.255.255.255 0 0

access-group internet_access_inside in interface outside

A router on the other hand will check inbound acls, perform NAT, then check outbound acls.

Hope it helps.

Steve

New Member

Re: Order of operation

Steve,

thanks.

1233
Views
9
Helpful
4
Replies