Does anyone know of a description of exactly what order all the various traffic modification/inspection engines work in IOS?
I found out the hard way that static NAT stops the VPNs working, so NAT must happen before the VPN. Also ACLs applied inbound on the external interface use external addresses, so they act before NAT. So I'm guessing the order is;
Inbound: ->ACL->VPN->(de)NAT
Outbound: NAT->VPN->ACL (if used)->
Is this correct? Some slightly off behaviour makes me wonder if PAT (as opposed to NAT) happens in a slightly different place.
Thanks,
John Rennie