11-28-2011 06:26 AM - edited 03-11-2019 02:56 PM
Hello.
as I studied, Interface ACLs and Zone based Firewall should not be applied at the same time. This it means that every packet is processed by the router (I'm thinking NAT).
For example, an unwanted traffic is processed by NAT before is it drop by ZBF. Do you think is it optimal ?
11-28-2011 08:43 AM
Hi,
It is not something to be optimal or not. Packets processed by Zone-Based are either fast switched or processed switched so that's probably why NAT is processed before the Zone-based Firewall.
On the other hand inbound ACLs (if no further processing is necessary for other features) are processed by CEF so the packets don't go to the router's CPU and are processed before NAT.
I hope it makes sense.
11-28-2011 09:44 AM
Hi,
what you said is logical and correct point of view for packet processing; but what do you think about firewall processing ?
I don't understand why an unwanted packet have to be processed by Nat before drop it
ASA behavior is a little bit different, it use real ip address but interface ACL is still used for block packet before other process.
Regard,
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide