[Last Call] Learn how to a build a cloud-first strategyRegister Now


Cisco NAT and Firewall ACLs. How do they work?

Posted on 2009-02-19
Medium Priority
Last Modified: 2012-06-22
I'm a bit confused.  We have 2 sites both with Cisco 870w Routers that run local internet for each site and also run a site-to-site VPN between them.

when i set them up i did it with a Cisco Teckie and I'm strying to re-familiarise myself with the whole concept because I'm having a few port related issues.

We have a Firewall ACL (on Dialer0 inbound), and also a NAT ACL.  

What's the difference?
Which one takes preference?
Which one gets challenged first?

The way i think i understand it is that the packet heads into the router (from the www) and initally hits the firewall ACL, if it's allowed in it them hits the NAT ACL, if it has an entry listed it then is pushed through the NAT routing rule to its destination.

Any help would be much appreciated.

Also, is there a command to see which ACLs present on the router are doing what task?

Cheers, Andy
Question by:andrewprouse
  • 3
  • 2

Expert Comment

ID: 23680382
The differences are:

Firewall acls are intended to block/permit specific traffic.
NAT acl are intended to translate your private addresses into public ones so you can access internet.

There is no order. The packets hits an firewall acl depending the direction and the configured acls (inbound or outbound your router)
A packet hit the nat acl when a device in your LAN is trying to communicate with an IP outside your LAN.

You can see the access-lists with command:
Router#sh ip access-list

If you have other question regarding this, please ask!

Author Comment

ID: 23680541
so am i right in saying that if there is no NAT rule for port 25 (for example) then no traffic can leave or enter the network on port 25 despite there being a firewall ACL entry allowing port 25 in and out ??

also, the command sh ip access-list shows me the lists but doesn't tell me which list is tied to which interface and in which direction.

Accepted Solution

ionut_mir earned 2000 total points
ID: 23680588
Traffic on port 25 can enter your network, but if your server has a private IP, you should have a nat statement which translates the server's IP specifically, this way the router will "know" to which device it forwards the mail traffic.

To view the information you want: type sh ip interfaces, or sh interfaces (I don't remember exactly :D )

Author Comment

ID: 23680684
right, so nat wont work without the firewall acl (bacause the traffic wont be allowed into the network), but the firewall is pretty useless without NAT because the router wont know where to direct the port 25 traffic.

So the firewall allows and denies traffic, and NAT directs the traffic.

Yep, that command works okay.

thanks for your help.

Expert Comment

ID: 23680742
In your case, what NAT "does" is called port forwarding.
Usually nat is used to translate the private addresses into one public IP (from your provider).
When I say usually and I mean in the most simple network: a few hosts, one public IP (one provider).

Glad it worked! ;)

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question