Folks,
I'm about to do some testing to look for a working answer to this, but in the meantime I'm wondering if anyone has a link handy to official docs (or thoughts in general) that answer the following:
If you have an ACL applied to your outside interface, and are PATting traffic from inside to outside, which rules take precedence: the ACL or the translation rules? That is, if I, from the inside, initiate an outbound connection and a translation is created, does the implicit "allow traffic from destination host:port to source host:port" get processed before the ACL, or between the ACL and the implicit "deny ip any any"? I would think that the ACL would take precedence over the translation, otherwise what's the point of having an ACL?
The testing is going to be done on a PIX running version 6.1, but that shouldn't affect anything too much. Also, the command reference for access-list and NAT don't help much, otherwise I wouldn't be asking. Did I miss a keyword in my search on google? :)
Regards,
Chris Swinford