Rule routing, routing, and NAT order

Inside-to-Outside

 

? If IPSec then check input access list

? Decryption-for CET

? Check input rate limits

? Input accounting

? Policy routing

? Routing

? Redirect to web cache

? NAT inside to outside (local to global translation)

? Crypto (check map and mark for encryption)

? Check output access list

? Inspect (Context-based Access Control (CBAC ))

? TCP intercept

? Encryption

 

Outside-to-Inside

? If IPSec then check input access list

? Decryption-for CET or IPSec

? Check input access list

? Check input rate limits

? Input accounting

? NAT outside to inside (global to local translation)

? Policy routing

? Routing

? Redirect to web cache

? Crypto (check map and mark for encryption)

? Check output access list

? Inspect CBAC

? TCP intercept

? Encryption

When the datagram goes out from Inside-to-Outside, the rule is first routed, and then the NAT

When a packet comes in from Outside-to-Inside, it is first NAT, Policy Routing, and then Routing

 

NAT execution sequence

1. First, nat 0 and Access Control List (BYPASS)

2. Then the static and Access Control List

3. Point-to-point static conversion

4. nat 1 (& gt; = 1) and Access Control List

5. nat 0 or (& gt; = 1) CIDR Block

6. global pool

7. PAT

 

Note! If you are at the same level, you need to compare the details of the access control list and the details of the CIDR block address.

 

Nat order

1. nat (inside) 0 access-list nonat-host ----- here nat 0 can only write one sentence, so this sentence is not written in

1. nat (inside) 0 access-list nonat-network

2. static (inside, outside) 1.1.1.2 access-list static-host

3. static (inside, outside) 1.1.1.3 access-list static-network 0 0

4. static (inside, outside) 1.1.1.4 2.2.2.2

5. nat (inside) 1 access-list nat-host

6. nat (inside) 1 access-list nat-network

7. nat (inside) 0 2.2.2.2 255.255.255.255 -------- note! Here, when comparing nat 0 and nat 1 below, the degree of detail of the Post-noodle destination is not 0 or 1.

8. nat (inside) 1 2.2.2.0 255.255.255.0 0 0

9. global (outside) 1 1.1.1.100-1.1.1.200

10. global (outside) 1 interface

The preceding execution sequence 6.X/ 7.x is the same.

Before understanding the NAT Operation Sequence List, you must first understand the NAT itself. The most basic form is that NAT converts an IP address to another IP address.

 

When the router uses this operation sequence, it moves the inbound package down from the top of the list. If a data packet comes from an internal interface specified by NAT, it uses an internal/external list. If a packet comes from an external interface, it uses a list of Outgoing Operations.

 

This is the operation order of the internal and external lists:

 

# If it is IPSec, check the input access list

# Encryption-Cisco encryption technology (CET) or IPSec

# Check the input access list

# Check input rate limit

# Input Audit

# Routing policy

# Routing

# Redirect to Web Buffer

# From Intranet to external NAT (Local to external translation)

# Password system (check and identify as encrypted)

# Check the output access list

# Check context-based access control (CBAC)

# TCP Interception

# Encryption

 

When there is an internal/external switch, the router is switched from NAT.

 

This is a list of outgoing and inner operation orders:

 

# If it is IPSec, check the input access list

# Encryption-Cisco encryption technology (CET) or IPSec

# Check the input access list

# Check input rate limit

# Input Audit

# From external to internal NAT (external to Local translation)

# Routing policy

# Routing

# Redirect to Web Buffer

# Password system (check and identify as encrypted)

# Check the output access list

# Check CBAC

# TCP Interception

# Encryption

 

If there is an outbound Intranet, NAT is first converted and then routed.

 

We assume that we receive an IP package for an external and internal interface. When parsing this package, we want to use an access control list to block communication from a specific IP address. Which IP address should be put into the ACL? Is it the IP address before package resolution (such as the Public IP address) or the IP address after package resolution (such as the private IP address )?

 

By viewing the operation sequence, you can determine that the "from external to internal NAT" operation takes place after the "check input access list" task. Therefore, the public IP address is used in the ACL because the packet does not pass NAT.

 

What should I do if I want to create a static route for NAT communication? Should I use public or private IP addresses? In this case, you should use a private (internal) ip address because NAT has been used when the "Route" operation is started.