+ Reply to Thread
Results 1 to 5 of 5
  1. Junior Member Registered Member
    Join Date
    Dec 2015
    Posts
    4
    #1

    Default It's not better to perform Router-ZBF processes before NAT processes on Cisco Router?

    Hello guys.


    As you know, if NAT and Zone-Based Firewall (ZBF) have been configured on a Cisco router,
    NAT mechanism is performed before ZBF mechanism.


    So, suppose you denied accessing, from your inside zone, to a website with 5.5.5.5 IP address, that is outside zone.


    Also suppose you NAT'ed your inside IPs to an inside global address.


    because NAT precedes ZBF, all your requests for 5.5.5.5 are NAT'ed and then ZBF drop them.


    My question is;


    Isn't this precedence, CPU and Memory consuming??


    It is not better to do ZBF and if the traffic have the permission to go outside, then do the NAT??
    Reply With Quote Quote  

  2. SS -->
  3. Network Engineer Hondabuff's Avatar
    Join Date
    Aug 2012
    Location
    USA
    Posts
    637

    Certifications
    CCNA:S, CCNA, CCENT, CCNP:R&S,MECP, A+, Network+, Security+, Network Security Diploma
    #2
    If you were setting up a SOHO with a router you would of implemented NAT long before you would attempt setting up the Firewall.
    Reply With Quote Quote  

  4. Junior Member Registered Member
    Join Date
    Dec 2015
    Posts
    4
    #3
    I did not get your answer or its relevance to my question.!!!!
    please explain it.
    Reply With Quote Quote  

  5. Network Engineer Hondabuff's Avatar
    Join Date
    Aug 2012
    Location
    USA
    Posts
    637

    Certifications
    CCNA:S, CCNA, CCENT, CCNP:R&S,MECP, A+, Network+, Security+, Network Security Diploma
    #4
    IOS router will always process the NAT statement first before doing ZBF. Yes it takes more processing to do but why the concern? A lot of SOHO setups do not use the ZBF feature and rely on the firewall in the modem. If the processing is above 50% on the router then its time to upgrade into a larger enterprise model.
    Reply With Quote Quote  

  6. Junior Member Registered Member
    Join Date
    Dec 2015
    Posts
    4
    #5
    Thanks, That's my answer. Got it.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks