[c-nsp] NAT ACL

Gert Doering gert at greenie.muc.de
Thu Oct 14 15:31:03 EDT 2004


On Thu, Oct 14, 2004 at 11:13:43AM -0400, Paul Stewart wrote:
> Someone may correct me but an access list will apply to all traffic on
> the interface whether or not it's NAT.  The NAT translation will still
> be subject to the access list rules.

The important difference between "inACL first, NAT second" and "NAT first,
inACL second" is which addresses you can match on - if you permit only
specific source addresses, this gets important (because the address
might have been translated).

Regarding ACLs, the order is

  input ACL
  output ACL

(which has been said already).

This order is most logical, as the packet coming in from an "ip nat inside" 
interface might go out over another interface that's also "ip nat inside",
so is not visiting NAT at all - but the ACL should apply identically
to all the packets...

USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

More information about the cisco-nsp mailing list