Cisco NAT and Firewall ACLs. How do they work?

Posted on 2009-02-19
Last Modified: 2012-06-22
I'm a bit confused.  We have 2 sites both with Cisco 870w Routers that run local internet for each site and also run a site-to-site VPN between them.

when i set them up i did it with a Cisco Teckie and I'm strying to re-familiarise myself with the whole concept because I'm having a few port related issues.

We have a Firewall ACL (on Dialer0 inbound), and also a NAT ACL.  

What's the difference?
Which one takes preference?
Which one gets challenged first?

The way i think i understand it is that the packet heads into the router (from the www) and initally hits the firewall ACL, if it's allowed in it them hits the NAT ACL, if it has an entry listed it then is pushed through the NAT routing rule to its destination.

Any help would be much appreciated.

Also, is there a command to see which ACLs present on the router are doing what task?

Cheers, Andy
Question by:andrewprouse
    LVL 5

    Expert Comment

    The differences are:

    Firewall acls are intended to block/permit specific traffic.
    NAT acl are intended to translate your private addresses into public ones so you can access internet.

    There is no order. The packets hits an firewall acl depending the direction and the configured acls (inbound or outbound your router)
    A packet hit the nat acl when a device in your LAN is trying to communicate with an IP outside your LAN.

    You can see the access-lists with command:
    Router#sh ip access-list

    If you have other question regarding this, please ask!

    Author Comment

    so am i right in saying that if there is no NAT rule for port 25 (for example) then no traffic can leave or enter the network on port 25 despite there being a firewall ACL entry allowing port 25 in and out ??

    also, the command sh ip access-list shows me the lists but doesn't tell me which list is tied to which interface and in which direction.
    LVL 5

    Accepted Solution

    Traffic on port 25 can enter your network, but if your server has a private IP, you should have a nat statement which translates the server's IP specifically, this way the router will "know" to which device it forwards the mail traffic.

    To view the information you want: type sh ip interfaces, or sh interfaces (I don't remember exactly :D )

    Author Comment

    right, so nat wont work without the firewall acl (bacause the traffic wont be allowed into the network), but the firewall is pretty useless without NAT because the router wont know where to direct the port 25 traffic.

    So the firewall allows and denies traffic, and NAT directs the traffic.

    Yep, that command works okay.

    thanks for your help.
    LVL 5

    Expert Comment

    In your case, what NAT "does" is called port forwarding.
    Usually nat is used to translate the private addresses into one public IP (from your provider).
    When I say usually and I mean in the most simple network: a few hosts, one public IP (one provider).

    Glad it worked! ;)

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Sonicwall SOHO SSL-VPN no LAN Access 5 40
    Missing Crypto Commands 6 39
    Recommendations on a Router for VPN 3 37
    VPN protocal 18 46
    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now