ACL or NAT (Which one comes first when packet exiting an interface)
Please look at the following config , I assumed that the ACL gonna come first and won't let the packet go out.
but strangely packet is natted and the ACL doesn't do anything.
*** If I try to ping a RFC1918 address (except the one allowed) , it nats first rather than acting on ACL which denies accessing RFC1918 addresses at all.
ip address 192.168.226.254 255.255.255.0
ip access-group Net-Access in
ip nat inside
Extended IP access list Net-Access
10 permit ip 192.168.226.0 0.0.0.255 192.168.221.0 0.0.0.255
20 deny ip any 192.168.0.0 0.0.255.255
30 deny ip any 172.16.0.0 0.15.255.255
40 deny ip any 10.0.0.0 0.255.255.255
50 permit ip any any
ip nat inside source list 100 interface Loopback0 overload
Extended IP access list 100
10 deny ip 192.168.226.0 0.0.0.255 192.168.221.0 0.0.0.255
20 permit ip 192.168.226.0 0.0.0.255 any
When I ping the RFC1918 addresses sourced from vlan1 , it actually nats out.