|
Home > Archive > CCNP > February 2002 > Which comes first? (this is not the chicken and egg question)
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Which comes first? (this is not the chicken and egg question)
|
|
| The Reamer 2002-02-08, 5:44 pm |
| If you are running NAT on an interface as well as having an access list applied to the interface, which is processed first? Is NAT done and then the access list, or is it the other way around?
Reamer | |
| Yeti-GBR1 2002-02-08, 6:47 pm |
| Hmmm never thought to look at this, you could enable debug mode and watch what happens I suppose at least you would see what the router is doing as the packets came in. It may answer your question if you did. Anyone else got any thoughts? | |
| MadChef 2002-02-09, 8:20 am |
| quote:
Originally posted by The Reamer
If you are running NAT on an interface as well as having an access list applied to the interface, which is processed first? Is NAT done and then the access list, or is it the other way around?
It depends. Which way is the traffic going and and which way is the access-list "facing"?
For inbound traffic with an "in" access list, the ACL is processed and then the permitted packets are passed to NAT.
For outbound traffic with an "out" ACL, NAT happens first and then it hits the ACL.
There's a really good CCO article about this in something like the IOS Firewall, NAT or IPSec sections (cause IPSec throws even more complications into it). Search CCO for NAT process order or NAT order of operation. One of those should probably pull it up.
MadChef
---------
Found it: http://www.cisco.com/warp/public/556/5.html |
|
|
|
|