It's not better to perform Router-ZBF processes before NAT processes on Cisco Router?

Hello guys.

As you know, if NAT and Zone-Based Firewall (ZBF) have been configured on a Cisco router,
NAT mechanism is performed before ZBF mechanism.

So, suppose you denied accessing, from your inside zone, to a website with 5.5.5.5 IP address, that is outside zone.

Also suppose you NAT'ed your inside IPs to an inside global address.

because NAT precedes ZBF, all your requests for 5.5.5.5 are NAT'ed and then ZBF drop them.

My question is;

Isn't this precedence, CPU and Memory consuming??

It is not better to do ZBF and if the traffic have the permission to go outside, then do the NAT??

Find more posts tagged with

Comments

Hondabuff

If you were setting up a SOHO with a router you would of implemented NAT long before you would attempt setting up the Firewall.

MehranBazgir

I did not get your answer or its relevance to my question.!!!!
please explain it.

Hondabuff

IOS router will always process the NAT statement first before doing ZBF. Yes it takes more processing to do but why the concern? A lot of SOHO setups do not use the ZBF feature and rely on the firewall in the modem. If the processing is above 50% on the router then its time to upgrade into a larger enterprise model.

MehranBazgir

Thanks, That's my answer. Got it.