Core Issue
Context-based Access Control (CBAC) is a Cisco IOS Firewall feature that allows filtering of traffic using Access Control Lists (ACLs). CBAC allows closer inspection of protocols before permitting traffic through, which provides higher perimeter security compared to Cisco IOS ACLs. Configuring Network Address Translation (NAT) on routers configured for CBAC is desirable for these reasons:
- To hide the actual addresses of the inside hosts.
- To strictly control access to the outside world.
- To strictly control access to inside hosts from the outside world.
Resolution
While configuring CBAC and NAT on a router, the NAT order of operation plays an important role.
For inside-to-outside traffic, perform these steps:
- Check input ACL.
- Perform NAT inside to outside.
- Check output ACL.
For outside-to-inside traffic, perform these steps:
- Check input ACL.
- Perform NAT outside to inside.
- Check output ACL.
For filtering inside-to-outside traffic on the inside interface, the inside hosts should be specified by their actual IP addresses.
Similarly, for filtering outside-to-inside traffic on the outside interface, the inside hosts should be specified by their translated addresses (inside global).
For additional information on configuring NAT and CBAC on a router, refer to Two-Interface Router with NAT CBAC Configuration.
For additional information on the order in which transactions are processed on a router configured for NAT, refer to NAT Order of Operation.
For information on configuring CBAC, refer to Context-Based Access Control: Introduction and Configuration.
