https://community.cisco.com/t5/network-security/port-forwarding-and-order-of-operation/m-p/2594912#M229802 <P><EM><STRONG>One more thing to confirm is for traffic flow in bidirectional&nbsp; it will use the same NAT rule right?</STRONG></EM></P><P>Yes, assuming the NAT statement is a static NAT.&nbsp; Only static NAT is bidirectional, while dynamic NAT is not.</P><P><EM><STRONG>For ACL check for traffic flow from inside to outside it will look look for ACL on ASA's inside interface right?</STRONG></EM></P><P>Correct. The ACL, if any, which is applied to the inside interface will be matched first.&nbsp; However, it is possible to apply an ACL to the outside interface in the outbound direction which will also be applied to the traffic.&nbsp; This is not a common practice though and is used only when there is a specific need for doing so.</P><P>--</P><P>Please remember to select a correct answer and rate helpful posts</P> Tue, 16 Dec 2014 21:55:41 GMT Marius Gunnerud 2014-12-16T21:55:41Z https://community.cisco.com/t5/network-security/port-forwarding-and-order-of-operation/m-p/2594909#M229798 <P>&nbsp;</P><P>Hi Everyone,</P><P>&nbsp;</P><P>I configured port porwarding for our internal server as we have 1 public IP only.It is working fine.</P><P>Need to confirm if we access the server from <STRONG>outside world then first thing that will happen is</STRONG></P><P>NAT and then it will look for ACL on outside interface right?</P><P><STRONG>For return traffic &nbsp;from server to Outside world it will hit ACL then NAT</STRONG>?</P><P>&nbsp;</P><P>Regards</P><P>MAhesh</P> Tue, 12 Mar 2019 05:14:10 GMT https://community.cisco.com/t5/network-security/port-forwarding-and-order-of-operation/m-p/2594909#M229798 mahesh18 2019-03-12T05:14:10Z https://community.cisco.com/t5/network-security/port-forwarding-and-order-of-operation/m-p/2594910#M229800 <P><EM><STRONG>Need to confirm if we access the server from outside world then first thing that will happen is</STRONG></EM></P><P><EM><STRONG>NAT and then it will look for ACL on outside interface right?</STRONG></EM></P><P>That is correct.&nbsp; As you said, traffic will first be translated using the NAT statements and then checked against the ACL entries.</P><P><EM><STRONG>For return traffic &nbsp;from server to Outside world it will hit ACL then NAT</STRONG>?</EM></P><P>Again correct.&nbsp; This is because the ACL check will happen on the inside interface and the NAT, in this case, will happen after the packet has entered the interface.</P><P>--</P><P>Please remember to select a correct answer and rate helpful posts</P> Tue, 16 Dec 2014 16:34:18 GMT https://community.cisco.com/t5/network-security/port-forwarding-and-order-of-operation/m-p/2594910#M229800 Marius Gunnerud 2014-12-16T16:34:18Z https://community.cisco.com/t5/network-security/port-forwarding-and-order-of-operation/m-p/2594911#M229801 <P>&nbsp;</P><P>Hi Marius,</P><P>&nbsp;</P><P>One more thing to confirm is for traffic flow in bidirectional&nbsp; it will use the same NAT rule right?</P><P>For ACL check for traffic flow from inside to outside it will look look for ACL on ASA's inside interface right?</P><P>Regards</P><P>MAhesh</P><P>&nbsp;</P> Tue, 16 Dec 2014 17:21:25 GMT https://community.cisco.com/t5/network-security/port-forwarding-and-order-of-operation/m-p/2594911#M229801 mahesh18 2014-12-16T17:21:25Z https://community.cisco.com/t5/network-security/port-forwarding-and-order-of-operation/m-p/2594912#M229802 <P><EM><STRONG>One more thing to confirm is for traffic flow in bidirectional&nbsp; it will use the same NAT rule right?</STRONG></EM></P><P>Yes, assuming the NAT statement is a static NAT.&nbsp; Only static NAT is bidirectional, while dynamic NAT is not.</P><P><EM><STRONG>For ACL check for traffic flow from inside to outside it will look look for ACL on ASA's inside interface right?</STRONG></EM></P><P>Correct. The ACL, if any, which is applied to the inside interface will be matched first.&nbsp; However, it is possible to apply an ACL to the outside interface in the outbound direction which will also be applied to the traffic.&nbsp; This is not a common practice though and is used only when there is a specific need for doing so.</P><P>--</P><P>Please remember to select a correct answer and rate helpful posts</P> Tue, 16 Dec 2014 21:55:41 GMT https://community.cisco.com/t5/network-security/port-forwarding-and-order-of-operation/m-p/2594912#M229802 Marius Gunnerud 2014-12-16T21:55:41Z https://community.cisco.com/t5/network-security/port-forwarding-and-order-of-operation/m-p/2594913#M229803 <P>&nbsp;</P><P>Many thanks Marius for confirming that i was thinking correct.</P><P>Best Regards</P><P>Mahesh</P> Tue, 16 Dec 2014 22:15:13 GMT https://community.cisco.com/t5/network-security/port-forwarding-and-order-of-operation/m-p/2594913#M229803 mahesh18 2014-12-16T22:15:13Z