Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
647
Views
10
Helpful
2
Replies

ZBF and NAT

ipagliani
Level 1
Level 1

‎11-28-2011 06:26 AM - edited ‎03-11-2019 02:56 PM

Hello.

as I studied,  Interface ACLs and Zone based Firewall should not be applied at the same time. This it means that every packet is processed by the router (I'm thinking NAT).

For example, an unwanted traffic is processed by NAT before is it drop by ZBF. Do you think is it optimal ?

Labels:
0 Helpful
2 Replies 2

josecalv
Level 1
Level 1

‎11-28-2011 08:43 AM

Hi,

It is not something to be optimal or not. Packets processed by Zone-Based are either fast switched or processed switched so that's probably why NAT is processed before the Zone-based Firewall.

On the other hand inbound ACLs (if no further processing is necessary for other features) are processed by CEF so the packets don't go to the router's CPU and are processed before NAT.

I hope it makes sense.

ipagliani
Level 1
Level 1
In response to josecalv

‎11-28-2011 09:44 AM

Hi,

what you said is logical and correct point of view for packet processing; but what do you think about firewall processing ?

I don't understand why an unwanted packet have to be processed by Nat before drop it

ASA behavior is a little bit different, it use real ip address but interface ACL is still used for block packet before other process.

Regard,

Sent from Cisco Technical Support iPad App

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card