Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   ACLs and NAT (http://www.velocityreviews.com/forums/t368964-acls-and-nat.html)

K.J. 44 09-06-2006 04:41 PM

ACLs and NAT
 
Hi,

I am working with a Cisco ASA and putting together my ACLs and NAT.
Does NAT occur before the ACL check befoer the NAT? I have the ACL on
the incoming interface for all ACLs, so it is before any routing
decisions but is it also before NAT?

Thanks.


K.J. 44 09-06-2006 04:52 PM

Re: ACLs and NAT
 

K.J. 44 wrote:
> Hi,
>
> I am working with a Cisco ASA and putting together my ACLs and NAT.
> Does NAT occur before the ACL check befoer the NAT? I have the ACL on
> the incoming interface for all ACLs, so it is before any routing
> decisions but is it also before NAT?
>
> Thanks.


Also, I used ASDM 5.0 to create the NAT translation. In ASDM I created
a static translation

Interface: inside
IP Address: Private IP
Mask: 255.255.255.255
Translate Address on Interface: Outside
Translate Address to: Static
IP Address: Public

However, when I look at the config, it shows this line for NAT

static (inside,outside) public IP private IP netmask 255.255.255.255

Is that in the correct order? because the outside IP is first and the
private IP is second in the line in the configuration.

THanks.


Walter Roberson 09-06-2006 05:17 PM

Re: ACLs and NAT
 
In article <1157561545.088760.110330@h48g2000cwc.googlegroups .com>,
K.J. 44 <Holleran.Kevin@gmail.com> wrote:
>> I am working with a Cisco ASA


>static (inside,outside) public IP private IP netmask 255.255.255.255


>Is that in the correct order? because the outside IP is first and the
>private IP is second in the line in the configuration.


That is normal for static commands. The first IP must be appropriate
for the interface named second, and the second IP must be appropriate
for the interface named first. No, I don't know why they choose that
order.

K.J. 44 09-06-2006 06:45 PM

Re: ACLs and NAT
 
Thanks for the response.

When I am applying my ACLs, will NAT have already occurred? If so then
my permit ACLs need to reflect my public IP and if not, then the
private IP.

Thanks.


Walter Roberson wrote:
> In article <1157561545.088760.110330@h48g2000cwc.googlegroups .com>,
> K.J. 44 <Holleran.Kevin@gmail.com> wrote:
> >> I am working with a Cisco ASA

>
> >static (inside,outside) public IP private IP netmask 255.255.255.255

>
> >Is that in the correct order? because the outside IP is first and the
> >private IP is second in the line in the configuration.

>
> That is normal for static commands. The first IP must be appropriate
> for the interface named second, and the second IP must be appropriate
> for the interface named first. No, I don't know why they choose that
> order.



K.J. 44 09-06-2006 08:13 PM

Re: ACLs and NAT
 
Nevermind I found it. Traffic is checked against inbound ACLs then
translation occurs.


K.J. 44 wrote:
> Thanks for the response.
>
> When I am applying my ACLs, will NAT have already occurred? If so then
> my permit ACLs need to reflect my public IP and if not, then the
> private IP.
>
> Thanks.
>
>
> Walter Roberson wrote:
> > In article <1157561545.088760.110330@h48g2000cwc.googlegroups .com>,
> > K.J. 44 <Holleran.Kevin@gmail.com> wrote:
> > >> I am working with a Cisco ASA

> >
> > >static (inside,outside) public IP private IP netmask 255.255.255.255

> >
> > >Is that in the correct order? because the outside IP is first and the
> > >private IP is second in the line in the configuration.

> >
> > That is normal for static commands. The first IP must be appropriate
> > for the interface named second, and the second IP must be appropriate
> > for the interface named first. No, I don't know why they choose that
> > order.



Walter Roberson 09-06-2006 08:14 PM

Re: ACLs and NAT
 
In article <1157568301.986740.47260@e3g2000cwe.googlegroups.c om>,
K.J. 44 <Holleran.Kevin@gmail.com> wrote:

>When I am applying my ACLs, will NAT have already occurred? If so then
>my permit ACLs need to reflect my public IP and if not, then the
>private IP.


I happened to notice a section in the ASA documentation that
discusses this point specifically.

I am not familiar with PIX/ASA 7.x operational details. In PIX 6.x,
the rule was approximately "the source and destination should
reflect what would be seen on the wire at the point of normal
application of the ACL". The major ambiguity about this that then
needed to be resolved was this: "crypto map match address ACLs are
applied for outgoing traffic -after- NAT has taken place, and are
applied for incoming traffic -before- NAT has taken place" (and
hence the ACLs reflect what would go into the VPN tunnel interface.)

So, an ACL applied as an access-group to an outside interface would
use the public IPs in the destination fields because that's what is
on the wire; an ACL applied as an access-group to an inside interface
would use the internal IPs as the sources because that's what is on
the wire for them.


All times are GMT. The time now is 07:22 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.