1. Home
  2. Cisco Systems
  3. Order of NAT, ACL, VPN etc in IOS

Order of NAT, ACL, VPN etc in IOS

Does anyone know of a description of exactly what order all the various traffic modification/inspection engines work in IOS?

I found out the hard way that static NAT stops the VPNs working, so NAT must happen before the VPN. Also ACLs applied inbound on the external interface use external addresses, so they act before NAT. So I'm guessing the order is;

Inbound: ->ACL->VPN->(de)NAT

Outbound: NAT->VPN->ACL (if used)->

Is this correct? Some slightly off behaviour makes me wonder if PAT (as opposed to NAT) happens in a slightly different place.

Thanks,

John Rennie

Reply to
John Rennie
Loading thread data ...

formatting link

Reply to
Joop van der Velden

Reply to
John Rennie

One of the most useful docs on the site:)

However, although you have not mentioned it, it should be noted that the CBAC (Inspect) and or crypto operations (I suspect both were changed) were substantially changed with 12.3(8)T.

I don't know if that doc refers to the old or the new?

formatting link
to the change: "Prior to Cisco Release 12.3(8)T, there was a double ACL check on the inbound packets, once on the encrypted packet and then again on the just-decrypted clear-text packet"

It would be good if Cisco cleared this up.

Reply to
anybody43

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.