In Cisco Land, inbound ACLs get processed before NAT. Let's get more specific[1] for Outside to Inside, here's the order _FOR_IOS_:
If IPSec then check input access list decryption - for CET or IPSec check input access list check input rate limits input accounting inspect NAT outside to inside (global to local translation) policy routing routing redirect to web cache crypto (check map and mark for encryption) check output access list inspect tcp intercept Encryption That's not guaranteeing that it's _exactly_ the same for the PIX, but I'm prepared to bet it will be almost identical. Cheers, [1] http://www.cisco.com/warp/public/556/5.html -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Swinford, Chris Sent: Wednesday, May 22, 2002 9:46 PM To: '[EMAIL PROTECTED]' Subject: ACLs and NAT: which comes first? (NON-HTML VERSION) My apologies for the HTML email. Just found me a little "feature" in Outlook. (ugh!) For those with more streamlined (and HTML-hating) email clients, see below: -----Original Message----- From: Swinford, Chris Sent: Wednesday, May 22, 2002 3:41 PM To: '[EMAIL PROTECTED]' Subject: PIX: ACLs and NAT: which comes first? Folks, I'm about to do some testing to look for a working answer to this, but in the meantime I'm wondering if anyone has a link handy to official docs (or thoughts in general) that answer the following: If you have an ACL applied to your outside interface, and are PATting traffic from inside to outside, which rules take precedence: the ACL or the translation rules? That is, if I, from the inside, initiate an outbound connection and a translation is created, does the implicit "allow traffic from destination host:port to source host:port" get processed before the ACL, or between the ACL and the implicit "deny ip any any"? I would think that the ACL would take precedence over the translation, otherwise what's the point of having an ACL? The testing is going to be done on a PIX running version 6.1, but that shouldn't affect anything too much. Also, the command reference for access-list and NAT don't help much, otherwise I wouldn't be asking. Did I miss a keyword in my search on google? :) Regards, Chris Swinford _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
