ACLs and NAT

Hi,

I am working with a Cisco ASA and putting together my ACLs and NAT. Does NAT occur before the ACL check befoer the NAT? I have the ACL on the incoming interface for all ACLs, so it is before any routing decisions but is it also before NAT?

Thanks.

Reply to
K.J. 44
Loading thread data ...

Also, I used ASDM 5.0 to create the NAT translation. In ASDM I created a static translation

Interface: inside IP Address: Private IP Mask: 255.255.255.255 Translate Address on Interface: Outside Translate Address to: Static IP Address: Public

However, when I look at the config, it shows this line for NAT

static (inside,outside) public IP private IP netmask 255.255.255.255

Is that in the correct order? because the outside IP is first and the private IP is second in the line in the configuration.

THanks.

Reply to
K.J. 44

That is normal for static commands. The first IP must be appropriate for the interface named second, and the second IP must be appropriate for the interface named first. No, I don't know why they choose that order.

Reply to
Walter Roberson

Thanks for the response.

When I am applying my ACLs, will NAT have already occurred? If so then my permit ACLs need to reflect my public IP and if not, then the private IP.

Thanks.

Walter Robers> > >> I am working with a Cisco ASA

Reply to
K.J. 44

Nevermind I found it. Traffic is checked against inbound ACLs then translation occurs.

K.J. 44 wrote:

Reply to
K.J. 44

I happened to notice a section in the ASA documentation that discusses this point specifically.

I am not familiar with PIX/ASA 7.x operational details. In PIX 6.x, the rule was approximately "the source and destination should reflect what would be seen on the wire at the point of normal application of the ACL". The major ambiguity about this that then needed to be resolved was this: "crypto map match address ACLs are applied for outgoing traffic -after- NAT has taken place, and are applied for incoming traffic -before- NAT has taken place" (and hence the ACLs reflect what would go into the VPN tunnel interface.)

So, an ACL applied as an access-group to an outside interface would use the public IPs in the destination fields because that's what is on the wire; an ACL applied as an access-group to an inside interface would use the internal IPs as the sources because that's what is on the wire for them.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.