11-17-2002 10:29 PM - edited 03-09-2019 01:05 AM
Hello,
Does PIX perform NAT on source addresses before or after egress ACL ?
Thanks in advance,
Emek
11-18-2002 05:21 AM
PIX always looks at translation rules first, then looks at access-lists. Only if there is a translation rule (ie NAT or static) for the packet is it forwarded to the acl to see if the packet is allowed through. Therefore the packet must pass both translation rules and acl rules before it is forwarded.
Hope it helps.
Steve
11-18-2002 06:52 AM
Thanks.
So ACL rules of outgoing sessions should be based on NATed addresses in oppose to origin addresses ?
Emek
11-18-2002 08:30 AM
In the PIX, acls can only be applied inbound. If you want outbound filtering you could use the "outbound" command (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/mr.htm#xtocid9 ).
If you apply your acl inbound on your inside interface the IP in the acl would be your internal IPs. The PIX will check to make sure there is a NAT command that matches those IPs, then it will be passed to your acl. So it will check that a translation rule exists, compare the packet to your acl, then perform NAT.
eg access-list inside_access_internet permit tcp host 10.10.10.10 any eq 80
nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 interface (or global (outside) 1 209.165.202.128 netmask 255.255.255.224)
access-group inside_access_internet in interface inside
If you apply the acl inbound on your external interface, it will check to make sure the inbound connection has a translation rule (either static or a dynamic translation) and then will pass the packet to the acl and then perform NAT.
eg access-list internet_access_int permit tcp any 200.200.200.200 any eq 80
static (inside,outside) 200.200.200.200 10.10.10.10 netmask 255.255.255.255 0 0
access-group internet_access_inside in interface outside
A router on the other hand will check inbound acls, perform NAT, then check outbound acls.
Hope it helps.
Steve
11-18-2002 10:22 PM
Steve,
thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide