Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
552
Views
0
Helpful
1
Replies

evalution order of nat when send to ips

tiwang
Level 3
Level 3

‎12-20-2010 07:20 AM - edited ‎03-10-2019 05:12 AM

Hi out there

I have a - probably simple - problem with a Cisco ASA 5510 with a SSM10module. We NAT through the outside interface - through the global policy:

service-policy IPS interface outside

have we assigned the IPS to the outside interface. We direct the traffic through a few simple maps:

class-map inspection_default

match default-inspection-traffic

class-map ips-default

match access-list ips_default-inbound_vs0

!

the access-list ips_default-inbound_vs0 looks like this:

access-list ips_default-inbound_vs0 extended deny ip 205.0.0.0 255.0.0.0 any

access-list ips_default-inbound_vs0 extended deny ip 206.0.0.0 255.0.0.0 any

access-list ips_default-inbound_vs0 extended permit ip any any

whereby I expect to bypass the sensor vs0 with traffic from 206.164.26.128 - but it looks as if it does hit the last entry in the ACL instead

I wonder in what order the access-list is evaluated - as far as I remember the acl will be "converted" to the real ip-adresse and not the NAT'ed before evaluated but I am a bit in doubt when I look on the result...

Btw - what throughput can we expect on these boxes - we are running a 100mbps fiber link but cannot get more that 20-30 mbps through the box when passed thorugh the ips

best regards /ti

Labels:
0 Helpful
1 Reply 1

Panos Kampanakis
Cisco Employee
Cisco Employee

‎12-22-2010 08:47 AM

You should not be hitting it.

Can you run command

show service-olicy flow tcp host <208 ip> eq 1234 host  eq 80

and see if the output says it will match on your class?

I hope it helps.

PK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card