[c-nsp] NAT ACL
Gert Doering
gert at greenie.muc.de
Thu Oct 14 15:31:03 EDT 2004
Hi,
On Thu, Oct 14, 2004 at 11:13:43AM -0400, Paul Stewart wrote:
> Someone may correct me but an access list will apply to all traffic on
> the interface whether or not it's NAT. The NAT translation will still
> be subject to the access list rules.
The important difference between "inACL first, NAT second" and "NAT first,
inACL second" is which addresses you can match on - if you permit only
specific source addresses, this gets important (because the address
might have been translated).
Regarding ACLs, the order is
input ACL
NAT
output ACL
(which has been said already).
This order is most logical, as the packet coming in from an "ip nat inside"
interface might go out over another interface that's also "ip nat inside",
so is not visiting NAT at all - but the ACL should apply identically
to all the packets...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list