| Inside-to-Outside | Outside-to-Inside |
|---|---|
|
|
Sources one and two contradict each other, so YMMV. The table reproduced above is from the second source with the addition of the QoS order of operations from source three. It still does not sounds right to me but leave me a comment if you think otherwise.
In the above table, the only difference between packets flowing from the inside -> outside or outside -> inside is NAT and routing.
When a packet is going outside you will route first. This allows the router to find out which exit interface is going to be used. At this point both the inbound and outbound interfaces are known then you also know if you need to apply NAT
When a packet is going outside to inside, you check the NAT translation table first according to the table above. I think you should check routing first as then you will know your inbound and outbound interface. This would then tell you if you need to check the NAT translation table for an existing entry.
For example: If a packet arrive at the outside interface and is destined for the DMZ which isn't NATed then you slow things by checking the NAT translation table before the routing table. However if you checked the routing table to determine you exit interface then you know there will be no NAT translations in place and you can skip this check.
More generally you could say the packet flow through a Cisco router is:
- Input Decryption
- Input ACLs
- QoS classification
- QoS policing
- IP Accounting
- WCCP
- Routing
- NAT
- Crypto Check
- Output ACLs
- Encryption
- QoS Queueing
No comments:
Post a Comment