Cisco NAT and Firewall ACLs. How do they work?

I'm a bit confused.  We have 2 sites both with Cisco 870w Routers that run local internet for each site and also run a site-to-site VPN between them.

when i set them up i did it with a Cisco Teckie and I'm strying to re-familiarise myself with the whole concept because I'm having a few port related issues.

We have a Firewall ACL (on Dialer0 inbound), and also a NAT ACL.  

What's the difference?
Which one takes preference?
Which one gets challenged first?

The way i think i understand it is that the packet heads into the router (from the www) and initally hits the firewall ACL, if it's allowed in it them hits the NAT ACL, if it has an entry listed it then is pushed through the NAT routing rule to its destination.

Any help would be much appreciated.

Also, is there a command to see which ACLs present on the router are doing what task?

Cheers, Andy
andrewprouseAsked:
Who is Participating?
 
ionut_mirConnect With a Mentor Commented:
Traffic on port 25 can enter your network, but if your server has a private IP, you should have a nat statement which translates the server's IP specifically, this way the router will "know" to which device it forwards the mail traffic.

To view the information you want: type sh ip interfaces, or sh interfaces (I don't remember exactly :D )
0
 
ionut_mirCommented:
The differences are:

Firewall acls are intended to block/permit specific traffic.
NAT acl are intended to translate your private addresses into public ones so you can access internet.

There is no order. The packets hits an firewall acl depending the direction and the configured acls (inbound or outbound your router)
A packet hit the nat acl when a device in your LAN is trying to communicate with an IP outside your LAN.

You can see the access-lists with command:
Router#sh ip access-list

If you have other question regarding this, please ask!
0
 
andrewprouseAuthor Commented:
so am i right in saying that if there is no NAT rule for port 25 (for example) then no traffic can leave or enter the network on port 25 despite there being a firewall ACL entry allowing port 25 in and out ??

also, the command sh ip access-list shows me the lists but doesn't tell me which list is tied to which interface and in which direction.
0
 
andrewprouseAuthor Commented:
right, so nat wont work without the firewall acl (bacause the traffic wont be allowed into the network), but the firewall is pretty useless without NAT because the router wont know where to direct the port 25 traffic.

So the firewall allows and denies traffic, and NAT directs the traffic.

Yep, that command works okay.

thanks for your help.
0
 
ionut_mirCommented:
In your case, what NAT "does" is called port forwarding.
Usually nat is used to translate the private addresses into one public IP (from your provider).
When I say usually and I mean in the most simple network: a few hosts, one public IP (one provider).

Glad it worked! ;)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.