Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ACLs and NAT

Reply
Thread Tools

ACLs and NAT

 
 
K.J. 44
Guest
Posts: n/a
 
      09-06-2006
Hi,

I am working with a Cisco ASA and putting together my ACLs and NAT.
Does NAT occur before the ACL check befoer the NAT? I have the ACL on
the incoming interface for all ACLs, so it is before any routing
decisions but is it also before NAT?

Thanks.

 
Reply With Quote
 
 
 
 
K.J. 44
Guest
Posts: n/a
 
      09-06-2006

K.J. 44 wrote:
> Hi,
>
> I am working with a Cisco ASA and putting together my ACLs and NAT.
> Does NAT occur before the ACL check befoer the NAT? I have the ACL on
> the incoming interface for all ACLs, so it is before any routing
> decisions but is it also before NAT?
>
> Thanks.


Also, I used ASDM 5.0 to create the NAT translation. In ASDM I created
a static translation

Interface: inside
IP Address: Private IP
Mask: 255.255.255.255
Translate Address on Interface: Outside
Translate Address to: Static
IP Address: Public

However, when I look at the config, it shows this line for NAT

static (inside,outside) public IP private IP netmask 255.255.255.255

Is that in the correct order? because the outside IP is first and the
private IP is second in the line in the configuration.

THanks.

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      09-06-2006
In article <(E-Mail Removed) .com>,
K.J. 44 <(E-Mail Removed)> wrote:
>> I am working with a Cisco ASA


>static (inside,outside) public IP private IP netmask 255.255.255.255


>Is that in the correct order? because the outside IP is first and the
>private IP is second in the line in the configuration.


That is normal for static commands. The first IP must be appropriate
for the interface named second, and the second IP must be appropriate
for the interface named first. No, I don't know why they choose that
order.
 
Reply With Quote
 
K.J. 44
Guest
Posts: n/a
 
      09-06-2006
Thanks for the response.

When I am applying my ACLs, will NAT have already occurred? If so then
my permit ACLs need to reflect my public IP and if not, then the
private IP.

Thanks.


Walter Roberson wrote:
> In article <(E-Mail Removed) .com>,
> K.J. 44 <(E-Mail Removed)> wrote:
> >> I am working with a Cisco ASA

>
> >static (inside,outside) public IP private IP netmask 255.255.255.255

>
> >Is that in the correct order? because the outside IP is first and the
> >private IP is second in the line in the configuration.

>
> That is normal for static commands. The first IP must be appropriate
> for the interface named second, and the second IP must be appropriate
> for the interface named first. No, I don't know why they choose that
> order.


 
Reply With Quote
 
K.J. 44
Guest
Posts: n/a
 
      09-06-2006
Nevermind I found it. Traffic is checked against inbound ACLs then
translation occurs.


K.J. 44 wrote:
> Thanks for the response.
>
> When I am applying my ACLs, will NAT have already occurred? If so then
> my permit ACLs need to reflect my public IP and if not, then the
> private IP.
>
> Thanks.
>
>
> Walter Roberson wrote:
> > In article <(E-Mail Removed) .com>,
> > K.J. 44 <(E-Mail Removed)> wrote:
> > >> I am working with a Cisco ASA

> >
> > >static (inside,outside) public IP private IP netmask 255.255.255.255

> >
> > >Is that in the correct order? because the outside IP is first and the
> > >private IP is second in the line in the configuration.

> >
> > That is normal for static commands. The first IP must be appropriate
> > for the interface named second, and the second IP must be appropriate
> > for the interface named first. No, I don't know why they choose that
> > order.


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-06-2006
In article <(E-Mail Removed) om>,
K.J. 44 <(E-Mail Removed)> wrote:

>When I am applying my ACLs, will NAT have already occurred? If so then
>my permit ACLs need to reflect my public IP and if not, then the
>private IP.


I happened to notice a section in the ASA documentation that
discusses this point specifically.

I am not familiar with PIX/ASA 7.x operational details. In PIX 6.x,
the rule was approximately "the source and destination should
reflect what would be seen on the wire at the point of normal
application of the ACL". The major ambiguity about this that then
needed to be resolved was this: "crypto map match address ACLs are
applied for outgoing traffic -after- NAT has taken place, and are
applied for incoming traffic -before- NAT has taken place" (and
hence the ACLs reflect what would go into the VPN tunnel interface.)

So, an ACL applied as an access-group to an outside interface would
use the public IPs in the destination fields because that's what is
on the wire; an ACL applied as an access-group to an inside interface
would use the internal IPs as the sources because that's what is on
the wire for them.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: PBR on 1841 (no NAT, no ACLs, dual ADSL) Rob Cisco 0 12-05-2010 09:00 AM
Re: PBR on 1841 (no NAT, no ACLs, dual ADSL) bod43 Cisco 0 12-05-2010 02:11 AM
Why me? - named ACLs in NAT statement might work ... sascha.pollok@gmail.com Cisco 0 06-12-2007 01:58 PM
PIX ACLs for Inside/outside Nat and Crypto - All the same? Scott Townsend Cisco 4 06-07-2006 06:15 PM
Cisco 1003 - NAT - ISDN and extended ACLs Matthias Fischer Cisco 3 01-26-2004 01:31 PM



Advertisments