We help IT Professionals succeed at work.

Cisco NAT and Firewall ACLs. How do they work?

Medium Priority
Last Modified: 2012-06-22
I'm a bit confused.  We have 2 sites both with Cisco 870w Routers that run local internet for each site and also run a site-to-site VPN between them.

when i set them up i did it with a Cisco Teckie and I'm strying to re-familiarise myself with the whole concept because I'm having a few port related issues.

We have a Firewall ACL (on Dialer0 inbound), and also a NAT ACL.  

What's the difference?
Which one takes preference?
Which one gets challenged first?

The way i think i understand it is that the packet heads into the router (from the www) and initally hits the firewall ACL, if it's allowed in it them hits the NAT ACL, if it has an entry listed it then is pushed through the NAT routing rule to its destination.

Any help would be much appreciated.

Also, is there a command to see which ACLs present on the router are doing what task?

Cheers, Andy
Watch Question

The differences are:

Firewall acls are intended to block/permit specific traffic.
NAT acl are intended to translate your private addresses into public ones so you can access internet.

There is no order. The packets hits an firewall acl depending the direction and the configured acls (inbound or outbound your router)
A packet hit the nat acl when a device in your LAN is trying to communicate with an IP outside your LAN.

You can see the access-lists with command:
Router#sh ip access-list

If you have other question regarding this, please ask!


so am i right in saying that if there is no NAT rule for port 25 (for example) then no traffic can leave or enter the network on port 25 despite there being a firewall ACL entry allowing port 25 in and out ??

also, the command sh ip access-list shows me the lists but doesn't tell me which list is tied to which interface and in which direction.
Traffic on port 25 can enter your network, but if your server has a private IP, you should have a nat statement which translates the server's IP specifically, this way the router will "know" to which device it forwards the mail traffic.

To view the information you want: type sh ip interfaces, or sh interfaces (I don't remember exactly :D )

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


right, so nat wont work without the firewall acl (bacause the traffic wont be allowed into the network), but the firewall is pretty useless without NAT because the router wont know where to direct the port 25 traffic.

So the firewall allows and denies traffic, and NAT directs the traffic.

Yep, that command works okay.

thanks for your help.
In your case, what NAT "does" is called port forwarding.
Usually nat is used to translate the private addresses into one public IP (from your provider).
When I say usually and I mean in the most simple network: a few hosts, one public IP (one provider).

Glad it worked! ;)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.