ACLs and NAT

Discussion in 'Cisco' started by K.J. 44, Sep 6, 2006.

  1. K.J. 44

    K.J. 44 Guest

    Hi,

    I am working with a Cisco ASA and putting together my ACLs and NAT.
    Does NAT occur before the ACL check befoer the NAT? I have the ACL on
    the incoming interface for all ACLs, so it is before any routing
    decisions but is it also before NAT?

    Thanks.
     
    K.J. 44, Sep 6, 2006
    #1
    1. Advertising

  2. K.J. 44

    K.J. 44 Guest

    K.J. 44 wrote:
    > Hi,
    >
    > I am working with a Cisco ASA and putting together my ACLs and NAT.
    > Does NAT occur before the ACL check befoer the NAT? I have the ACL on
    > the incoming interface for all ACLs, so it is before any routing
    > decisions but is it also before NAT?
    >
    > Thanks.


    Also, I used ASDM 5.0 to create the NAT translation. In ASDM I created
    a static translation

    Interface: inside
    IP Address: Private IP
    Mask: 255.255.255.255
    Translate Address on Interface: Outside
    Translate Address to: Static
    IP Address: Public

    However, when I look at the config, it shows this line for NAT

    static (inside,outside) public IP private IP netmask 255.255.255.255

    Is that in the correct order? because the outside IP is first and the
    private IP is second in the line in the configuration.

    THanks.
     
    K.J. 44, Sep 6, 2006
    #2
    1. Advertising

  3. In article <>,
    K.J. 44 <> wrote:
    >> I am working with a Cisco ASA


    >static (inside,outside) public IP private IP netmask 255.255.255.255


    >Is that in the correct order? because the outside IP is first and the
    >private IP is second in the line in the configuration.


    That is normal for static commands. The first IP must be appropriate
    for the interface named second, and the second IP must be appropriate
    for the interface named first. No, I don't know why they choose that
    order.
     
    Walter Roberson, Sep 6, 2006
    #3
  4. K.J. 44

    K.J. 44 Guest

    Thanks for the response.

    When I am applying my ACLs, will NAT have already occurred? If so then
    my permit ACLs need to reflect my public IP and if not, then the
    private IP.

    Thanks.


    Walter Roberson wrote:
    > In article <>,
    > K.J. 44 <> wrote:
    > >> I am working with a Cisco ASA

    >
    > >static (inside,outside) public IP private IP netmask 255.255.255.255

    >
    > >Is that in the correct order? because the outside IP is first and the
    > >private IP is second in the line in the configuration.

    >
    > That is normal for static commands. The first IP must be appropriate
    > for the interface named second, and the second IP must be appropriate
    > for the interface named first. No, I don't know why they choose that
    > order.
     
    K.J. 44, Sep 6, 2006
    #4
  5. K.J. 44

    K.J. 44 Guest

    Nevermind I found it. Traffic is checked against inbound ACLs then
    translation occurs.


    K.J. 44 wrote:
    > Thanks for the response.
    >
    > When I am applying my ACLs, will NAT have already occurred? If so then
    > my permit ACLs need to reflect my public IP and if not, then the
    > private IP.
    >
    > Thanks.
    >
    >
    > Walter Roberson wrote:
    > > In article <>,
    > > K.J. 44 <> wrote:
    > > >> I am working with a Cisco ASA

    > >
    > > >static (inside,outside) public IP private IP netmask 255.255.255.255

    > >
    > > >Is that in the correct order? because the outside IP is first and the
    > > >private IP is second in the line in the configuration.

    > >
    > > That is normal for static commands. The first IP must be appropriate
    > > for the interface named second, and the second IP must be appropriate
    > > for the interface named first. No, I don't know why they choose that
    > > order.
     
    K.J. 44, Sep 6, 2006
    #5
  6. In article <>,
    K.J. 44 <> wrote:

    >When I am applying my ACLs, will NAT have already occurred? If so then
    >my permit ACLs need to reflect my public IP and if not, then the
    >private IP.


    I happened to notice a section in the ASA documentation that
    discusses this point specifically.

    I am not familiar with PIX/ASA 7.x operational details. In PIX 6.x,
    the rule was approximately "the source and destination should
    reflect what would be seen on the wire at the point of normal
    application of the ACL". The major ambiguity about this that then
    needed to be resolved was this: "crypto map match address ACLs are
    applied for outgoing traffic -after- NAT has taken place, and are
    applied for incoming traffic -before- NAT has taken place" (and
    hence the ACLs reflect what would go into the VPN tunnel interface.)

    So, an ACL applied as an access-group to an outside interface would
    use the public IPs in the destination fields because that's what is
    on the wire; an ACL applied as an access-group to an inside interface
    would use the internal IPs as the sources because that's what is on
    the wire for them.
     
    Walter Roberson, Sep 6, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matthias Fischer

    Cisco 1003 - NAT - ISDN and extended ACLs

    Matthias Fischer, Jan 26, 2004, in forum: Cisco
    Replies:
    3
    Views:
    774
    Matthias Fischer
    Jan 26, 2004
  2. Scott Townsend
    Replies:
    4
    Views:
    2,644
    Walter Roberson
    Jun 7, 2006
  3. Replies:
    0
    Views:
    434
  4. bod43
    Replies:
    0
    Views:
    558
    bod43
    Dec 5, 2010
  5. Rob
    Replies:
    0
    Views:
    515
Loading...

Share This Page