ACL or NAT (Which one comes first when packet exiting an interface)


Please look at the following config , I assumed that the ACL gonna come first and won't let the packet go out.

but strangely packet is natted and the ACL doesn't do anything.

*** If I try to ping a RFC1918 address (except the one allowed) , it nats first rather than acting on ACL which denies accessing RFC1918 addresses at all.


Interface Vlan1
 ip address
 ip access-group Net-Access in
 ip nat inside
 ip virtual-reassembly


Extended IP access list Net-Access
    10 permit ip
    20 deny ip any
    30 deny ip any
    40 deny ip any
    50 permit ip any any


ip nat inside source list 100 interface Loopback0 overload


Extended IP access list 100
    10 deny ip
    20 permit ip any


When I ping the RFC1918 addresses sourced from vlan1 , it actually nats out.




Sign In or Register to comment.