Options
It's not better to perform Router-ZBF processes before NAT processes on Cisco Router?
MehranBazgir
Registered Users Posts: 4 ■□□□□□□□□□
Hello guys.
As you know, if NAT and Zone-Based Firewall (ZBF) have been configured on a Cisco router,
NAT mechanism is performed before ZBF mechanism.
So, suppose you denied accessing, from your inside zone, to a website with 5.5.5.5 IP address, that is outside zone.
Also suppose you NAT'ed your inside IPs to an inside global address.
because NAT precedes ZBF, all your requests for 5.5.5.5 are NAT'ed and then ZBF drop them.
My question is;
Isn't this precedence, CPU and Memory consuming??
It is not better to do ZBF and if the traffic have the permission to go outside, then do the NAT??
As you know, if NAT and Zone-Based Firewall (ZBF) have been configured on a Cisco router,
NAT mechanism is performed before ZBF mechanism.
So, suppose you denied accessing, from your inside zone, to a website with 5.5.5.5 IP address, that is outside zone.
Also suppose you NAT'ed your inside IPs to an inside global address.
because NAT precedes ZBF, all your requests for 5.5.5.5 are NAT'ed and then ZBF drop them.
My question is;
Isn't this precedence, CPU and Memory consuming??
It is not better to do ZBF and if the traffic have the permission to go outside, then do the NAT??
Comments
-
Options
Hondabuff
Member Posts: 667 ■■■□□□□□□□
If you were setting up a SOHO with a router you would of implemented NAT long before you would attempt setting up the Firewall.“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln -
OptionsMehranBazgir
Registered Users Posts: 4 ■□□□□□□□□□
I did not get your answer or its relevance to my question.!!!!
please explain it. -
OptionsHondabuff
Member Posts: 667 ■■■□□□□□□□
IOS router will always process the NAT statement first before doing ZBF. Yes it takes more processing to do but why the concern? A lot of SOHO setups do not use the ZBF feature and rely on the firewall in the modem. If the processing is above 50% on the router then its time to upgrade into a larger enterprise model.“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln