https://community.cisco.com/t5/network-security/zbf-and-nat/m-p/1831977#M492295 <P>Hello.</P><P></P><P>as I studied,&nbsp; Interface ACLs and Zone based Firewall should not be applied at the same time. This it means that every packet is processed by the router (I'm thinking NAT).</P><P></P><P>For example, an unwanted traffic is processed by NAT before is it drop by ZBF. Do you think is it optimal ?</P> Mon, 11 Mar 2019 21:56:03 GMT ipagliani 2019-03-11T21:56:03Z https://community.cisco.com/t5/network-security/zbf-and-nat/m-p/1831977#M492295 <P>Hello.</P><P></P><P>as I studied,&nbsp; Interface ACLs and Zone based Firewall should not be applied at the same time. This it means that every packet is processed by the router (I'm thinking NAT).</P><P></P><P>For example, an unwanted traffic is processed by NAT before is it drop by ZBF. Do you think is it optimal ?</P> Mon, 11 Mar 2019 21:56:03 GMT https://community.cisco.com/t5/network-security/zbf-and-nat/m-p/1831977#M492295 ipagliani 2019-03-11T21:56:03Z https://community.cisco.com/t5/network-security/zbf-and-nat/m-p/1831978#M492297 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>It is not something to be optimal or not. Packets processed by Zone-Based are either fast switched or processed switched so that's probably why NAT is processed before the Zone-based Firewall.</P><P></P><P>On the other hand inbound ACLs (if no further processing is necessary for other features) are processed by CEF so the packets don't go to the router's CPU and are processed before NAT.</P><P></P><P>I hope it makes sense.</P></BODY></HTML> Mon, 28 Nov 2011 16:43:39 GMT https://community.cisco.com/t5/network-security/zbf-and-nat/m-p/1831978#M492297 josecalv 2011-11-28T16:43:39Z https://community.cisco.com/t5/network-security/zbf-and-nat/m-p/1831979#M492300 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>what you said is logical and correct point of view for packet processing; but what do you think about firewall processing ? </P><P> I don't understand why an unwanted packet have to be processed by Nat before drop it </P><P>ASA behavior is a little bit different, it use real ip address but interface ACL is still used for block packet before other process.</P><P>Regard,</P><P></P><P>Sent from Cisco Technical Support iPad App</P></BODY></HTML> Mon, 28 Nov 2011 17:44:44 GMT https://community.cisco.com/t5/network-security/zbf-and-nat/m-p/1831979#M492300 ipagliani 2011-11-28T17:44:44Z