Solved: NAT & Policy-Map ACL Question

phosgene · ‎04-23-2020

Hi guys,

For the purposes for NAT overload, if had my "outside" interface as Gi0/0 and my "inside" interface as VLAN120; and I wanted to police ingress traffic to an IP address in VLAN120 using an ACL with the inside local address as the destination...

Would I apply the input service-policy to:
1. Interface Gi0/0?
2. Or Interface VLAN120?
If I applied it to Gi0/0 would the ACL to the inside local address still work, even with NAT?

Here's some config/diagrams to illustrate my dilemma:

Option 1 - Policy on Gi0/0Option 2 - Policy on VLAN120

Thanks in advance!

Abzal · ‎04-23-2020

Hi @phosgene

You need to understand order of operation to successfully implement traffic policing. According to https://etherealmind.com/cisco-ios-order-of-operation/ policing is done before NAT. So in your case you'd apply policy-map to Vlan interface - option #2.

It looks to me your ACL (option #2) referring to different subnet than your VLAN 120 interface. It should've been

permit ip any 10.10.120.0 0.0.0.255

Verification:

sh policy-map int Vlan 120

Let us know if it worked out.

Best regards,
Abzal

View solution in original post

Abzal · ‎04-23-2020