Order of NAT commands and access-lists

alclotto · ‎06-01-2004

What is the relationship and order of priority for processing for an access-list applied to the interface using an access-group statement, compared to a Nat Exemption or Policy NAT statement?

Why would you use a NAT exemption statement instead of applying an access-list to the interface?

I am familiar with the "Order of NAT Commands Used to Match Local Addresses" from the PIX Command Reference guide.

Can you direct me to any good white papers or sample documents that provide good examples?

ehirsel · ‎06-01-2004

You can use both nat exemption and apply an acl to an interface - it is not an either or situation.

The ports are not considered in a nat exemption acl; but they are considered when applying an acl to an interface. The acl on the interface is checked first, and then only for packets that are permitted is nat/pat considered.

alclotto · ‎06-04-2004

Thanks for the explanation.

I am still unclear as to why I would use NAT exemption instead of, or in conjunction with, an access-list aplied to the interface. Are you able to give me an example of a situation where this would apply?

mhoda · ‎06-04-2004

Hi,

As previously suggested, nat and acl work independent of each other on the PIX Firewall. For example, regarless of what you have configured for NAT, you still need an acl to allow the inbound traffic. Now, ACL can be used for many purposes on pix, like applying on the interafce, defining as interesting traffic for VPN, AAA or NAT exemption. ACL on interface is different than the acl you can apply on the NAT stmt. In the case of nat exemption, if you define a "nat with 0 network" then it does nat exemption for outbound traffic only, but "nat 0 acl" exempt the NAT for both direction traffic.

I hope this helps. Thanks,

Mynul