ACL or NAT (Which one comes first when packet exiting an interface)

Hi,

Please look at the following config , I assumed that the ACL gonna come first and won't let the packet go out.

but strangely packet is natted and the ACL doesn't do anything.

*** If I try to ping a RFC1918 address (except the one allowed) , it nats first rather than acting on ACL which denies accessing RFC1918 addresses at all.

 

Interface Vlan1
 ip address 192.168.226.254 255.255.255.0
 ip access-group Net-Access in
 ip nat inside
 ip virtual-reassembly

 

Extended IP access list Net-Access
    10 permit ip 192.168.226.0 0.0.0.255 192.168.221.0 0.0.0.255
    20 deny ip any 192.168.0.0 0.0.255.255
    30 deny ip any 172.16.0.0 0.15.255.255
    40 deny ip any 10.0.0.0 0.255.255.255
    50 permit ip any any

 

ip nat inside source list 100 interface Loopback0 overload

 

Extended IP access list 100
    10 deny ip 192.168.226.0 0.0.0.255 192.168.221.0 0.0.0.255
    20 permit ip 192.168.226.0 0.0.0.255 any

 

When I ping the RFC1918 addresses sourced from vlan1 , it actually nats out.

 

thx

Comments

Sign In or Register to comment.