Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Router and policy

Hi!

If I use policy on ethernet for packets marking and if I use NAT ... wich is applied first? What policy for marking see? Original address or nat-ed address?

Thanks!

  • WAN Routing and Switching
5 REPLIES

Re: Router and policy

Before you can understand the NAT Order of Operations list,

you first need to understand NAT itself.

In its most basic form, NAT translates one IP address to another IP address.

When the router uses this order of operations, it takes the

inbound packet, starting at the top and moves down the list. If the packet is

from a NAT inside-designated interface, it uses the inside-to-outside list. If

the packet is from an outside-to-inside interface, it uses that list.

Here's the order of operations for the inside-to-outside list:

If IPSec, then check input access list

Decryption—for Cisco Encryption Technology (CET) or IPSec

Check input access list

Check input rate limits

Input accounting

Policy routing

Routing

Redirect to Web cache

NAT inside to outside (local to global translation)

Crypto (check map and mark for encryption)

Check output access list

Inspect context-based access control (CBAC)

TCP intercept

Encryption

Here's the order of operations for the outside-to-inside list:

If IPSec, then check input access list

Decryption—for CET or IPSec

Check input access list

Check input rate limits

Input accounting

NAT outside to inside (global to local translation)

Policy routing

Routing

Redirect to Web cache

Crypto (check map and mark for encryption)

Check output access list

Inspect CBAC

TCP intercept

Encryption

HTH,

if it does, please rate this post.

Vlad

Re: Router and policy

hi,

you will find how the NAT works in order on this link:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

rate the psot if it helps

regards

Devang

New Member

Re: Router and policy

I still do not get it. Eth int will be inside and wan interface will be outside. From documentation I can see that queuing is last. But if I have policy for packet marking and that policy use access lists to inspect what are the sources and mark packets acordingly, will those access list see translated address?

Re: Router and policy

I would say, yes. the queueing configuration need to reflect the NAT configuration.

Anyone, are you configuring this in a production environment? or testing first on a LAB?

Try it and let us know.

and Please rate any helpful posts.

Vlad

New Member

Re: Router and policy

:-)) lab!? what is that? test environment? :-)) just joking, of course I so not have lab to test it. I will have this config tommorow in production and will see. Never mind, I'll find a way, put both adresses in access lists and see. thanks

108
Views
3
Helpful
5
Replies
This widget could not be displayed.