More of technical question - Why Does NAT Work Even Though Got ACL To Block Incoming Traffic

clarence.phoonclarence.phoon
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

This is more of a general networking question.
I configure ip nat out on the external interface.
I also configure acl to prevent traffic coming in that external interface.
Users can goto internet which means NAT is working.
Why?

Comments

  • rv@kaufmann.dkrv@kaufmann.dk

    Because the incomming traffic is initiated from the inside interface and not the external.

  • clarence.phoonclarence.phoon

    "incomming traffic is initiated from the inside interface".
    Sorry can you explain this?
    I thought the ACL will block traffic regardless of where it is initiated?

  • rv@kaufmann.dkrv@kaufmann.dk

    Well, if it should block all incomming traffic, then reply packets from the inside initiated sessions would not get through and nothing would work.
    A simpel 3 way handshake would not work.

  • Bruce_BriggsBruce_Briggs

    Presumably your Deny policy has From: Any-external, which allows packets from whatever is connected to the external interface - usually the Internet.

    Also, reply packets are automatically allowed.

Sign In to comment.