On Thu, May 23, 2002 at 09:41:34AM +0200, Ben Nagy wrote: > In Cisco Land, inbound ACLs get processed before NAT. > > That's not guaranteeing that it's _exactly_ the same for the PIX, but > I'm prepared to bet it will be almost identical. > > [1] http://www.cisco.com/warp/public/556/5.html
On PIX I've observed ACL before NAT outside to inside. However, if you look here: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#xtocid7 it states: "For inbound connections, destination_addr is the address after NAT has been performed. For outbound connections, destination_addr is the address before NAT has been performed." which I think makes more sense, because of things like port redirection. I haven't had a chance to investigate further. -- Kevin Steves | [EMAIL PROTECTED] Atomic Gears LLC | http://www.atomicgears.com/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
