Access Control Lists (ACLs) and Network Address Translation (NAT) are two of the most common features that coexist in the configuration of a Cisco ASA appliance. For both inbound and outbound access control lists, the IP addresses specified in the ACL depend on the interface where the ACL is applied. These IP addresses must be valid on the specific interface that the ACL is attached, regardless of NAT. Keep the following statement in mind: An Access Control List takes precedence over NAT. That is, an ACL is evaluated FIRST and then a NAT rule is applied to the packet.

For example, assume an inside host with private address 10.1.1.10 is translated to a public address 200.200.200.10 for outbound traffic (inside to outside). An ACL applied to the inside interface of the ASA firewall will first be evaluated to verify if the host 10.1.1.10 can access the Internet (outbound communication) and if the ACL permits this communication, only then NAT will be performed to translate 10.1.1.10 to 200.200.200.10. This is shown in the figure below.

cisco asa nat and acl access list

See the following commands for the example above:

!The following ACL is evaluated first

ciscoasa(config)# access-list INSIDE extended permit ip host 10.1.1.10 host 100.100.100.1

ciscoasa(config)# access-group INSIDE in interface inside

!NAT can be applied only if ACL allows the communication

ciscoasa(config)# global (outside) 1 200.200.200.10 netmask 255.255.255.255

ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0

[ad#embedded-square]

Similarly, a scenario with inbound traffic (outside to inside) works again the same way. That is, an ACL is evaluated first for inbound traffic and then a NAT translation rule is applied. For example, assume we have a Web Server located on the inside network (should be on a DMZ for better security but for the sake of simplicity we assume it is located on the inside network). The private address configured on the Web Server is 10.1.1.10. We configured also static NAT on the Firewall to map the private address of the Web Server to a public address 200.200.200.10 on the outside (see figure below). Inbound traffic coming from the Internet towards the public address of the Web Server will first go through an ACL to verify if the traffic is permitted or not. If traffic is allowed by the ACL, then the static NAT will be applied to translate the destination address from 200.200.200.10 to 10.1.1.10.

See the following commands for the example above:

!The following ACL is evaluated first

ciscoasa(config)# access-list OUTSIDE extended permit tcp any host 200.200.200.10 eq 80

ciscoasa(config)# access-group OUTSIDE in interface outside

! Static NAT can be applied only if ACL allows the communication

ciscoasa(config)# static (inside,outside) 200.200.200.10 10.1.1.10 netmask 255.255.255.255

UPDATE:

For Cisco ASA version 8.3 and later, the order of operation regarding ACL and NAT is still the same (i.e ACLs are evaluated first and then static NAT takes place), HOWEVER the ACL now must reference the real private IP of the server and NOT the public IP.

In our example above, for ASA 8.3 the ACL would look like below:

ciscoasa(config)# access-list OUTSIDE extended permit tcp any host 10.1.1.10 eq 80