Answer the question
In order to leave comments, you need to log in
Does the order of the NAT entries in the Cisco Router matter?
Essence of a question:
Is available Cisco Router C2921, IOS 15.4(3)M
On it 2 interfaces (Dialer1 and Tunnel1) are made, and also standard Gi0/0 as internal and Gi0/1 as external.
Accordingly, NAT(PAT) is made on Tunnel1, Dialer1 and Gi0/1, through the first two access to other networks (VPN) is implemented, through Gi0/1 - to the Internet. Inbound for NAT - Gi0/0. Internal network 10.0.0.0/24
Traffic Route with static routes:
IP Route 192.168.0.0 255.255.255.0 DIALER1
IP ROUTE 192.168.1.0 255.255.25.0 DIALER1 IP ROUTE
192.168.5.0 255.255.25.0 DIALER1
IP ROUTE 192.168.10.0 255.255.255.0 Tunnel1
IP Route 192.168.11.0 255.255.255.0 Tunnel1
Next, the ACL is selected:
ip access-list extended DIALER
Permit IP 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
Permit IP 10.0.0.0 2555.255.255.0 192.168.1.0 255.255.255.0
Permit IP 10.0.0.0 2555.25.255.0 192.168.5.0 255.255.0 192.168.5.0 255.255.0 192.168.5.0 255.255.055.0
IP Access-List Extended Tunnel Permit
IP 10.0.0.0
255.255.255.0
192.168.10.0
255.255.255.0
permit
ip ============
Somehow, this question suddenly arose - "If I have already routed the traffic to the right place, why else should I select it additionally in the ACL? After all, you can simplify the config - and make an ACL like "permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255. 0.0" for both. And, according to the NAT order of operations, everything will work - after all, where they were sent - there is NATim."
Having done so, I was surprised - everything started to match in Dialer, and access through Tunnel1 was gone.
Experimentally determined that if "ip nat inside source list TUNNEL interface Tunnel1 overload" is called "ip nat inside source list A-TUNNEL interface Tunnel1 overload" (renaming the ACL to A-TUNNEL instead of TUNNEL, respectively),
then it will rise abovein the config, and will appear before "ip nat inside source list DIALER interface Dialer1 overload". And then he will match everything, and access through Dialer will be lost.
I have not found an exact confirmation of this behavior in the documentation so far, hence the question - is this how it should be?
After all, I always assumed that routing occurs earlier, and we have already directed traffic to the right place with a static route. But it turns out that it still gets into the ACL for another NAT, moreover, according to the order in which the rule appears in the config.
Answer the question
In order to leave comments, you need to log in
I hasten to upset
you . Of course, using the attached link, you can find information on additional IPS-AIM modules , but in general, the order of traffic in terms of NAT remains the same, namely, Source NAT is done before routing. Actually, a similar situation will be in Linux, Junos.
If there was a diagram, it would be clearer.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question