ACL or NAT (Which one comes first when packet exiting an interface)

ssg14

Hi,

Please look at the following config , I assumed that the ACL gonna come first and won't let the packet go out.

but strangely packet is natted and the ACL doesn't do anything.

*** If I try to ping a RFC1918 address (except the one allowed) , it nats first rather than acting on ACL which denies accessing RFC1918 addresses at all.

 

Interface Vlan1
 ip address 192.168.226.254 255.255.255.0
 ip access-group Net-Access in
 ip nat inside
 ip virtual-reassembly

 

Extended IP access list Net-Access
    10 permit ip 192.168.226.0 0.0.0.255 192.168.221.0 0.0.0.255
    20 deny ip any 192.168.0.0 0.0.255.255
    30 deny ip any 172.16.0.0 0.15.255.255
    40 deny ip any 10.0.0.0 0.255.255.255
    50 permit ip any any

 

ip nat inside source list 100 interface Loopback0 overload

 

Extended IP access list 100
    10 deny ip 192.168.226.0 0.0.0.255 192.168.221.0 0.0.0.255
    20 permit ip 192.168.226.0 0.0.0.255 any

 

When I ping the RFC1918 addresses sourced from vlan1 , it actually nats out.

 

thx

bam

I don't quite get your NAT confiig. Maybe a little output might help.-- you know -- I do this, I get that... sort of thing.

Regarding NAT order of ops....

mattbclarke

Just a thought... could this possible be because the traffic is sourced from the router?  Is it possible you can try from a device behind vlan 1 and see if you get the same results?

ssg14

Hi Matt,

 

That was what actually I also supposed but i have no access to any of the devices behind the router.

My best guess is that ACL is not applied when the traffic is sources from the router itself , NAT applies to it's own traffic but ACL doesn't seem to have an effect.

 

Thx

Brian McGahan

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





NAT order of operations depends on whether you are coming inbound or
outbound, and whether it is an inside vs outside translation.  These
issues with order of operations are what the NAT Virtual Interface
(NVI) is used to fix.    Check this document for more info on the order
of operations:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Brian McGahan, CCIE #8593 (R&S/SP/Security)

[email protected]

 

Internetwork Expert, Inc.

http://www.INE.com

Toll Free: 877-224-8987 x 705

Outside US: 775-826-4344 x 705

Online Community: http://www.IEOC.com

CCIE Blog: http://blog.INE.com

ssg14 wrote:

Hi Matt,

 

That was what actually I also supposed but i have no access to any
of the devices behind the router.

My best guess is that ACL is not applied when the traffic is
sources from the router itself , NAT applies to it's own traffic but
ACL doesn't seem to have an effect.

 

Thx

Internetwork Expert - The Industry Leader in CCIE Preparation

http://www.internetworkexpert.com



Subscription information may be found at:

http://www.ieoc.com/forums/ForumSubscriptions.aspx