The order of operations in IOS is one of the most important topic an engineer can learn. You can spend countless hours trying to figure out the solution to a problem involving NAT, routing, ACL, QoS and IPSEC if you don’t understand in what order flows get processed within the Cisco IOS. For example if you are doing NAT on a device, and you want to route traffic going through NAT, will you use the inside or outside NAT IP address?
The answer is: it depends. Order of operation will vary depending if the traffic is going from the inside-to-outside interface or from outside-to-inside interface. It will also vary if it’s from an inbound interface to an outbound interface. Let’s look at the official release from Cisco:
The easiest way I have found to remember this is from a TE member who suggested to divide this in 3 phases.
Phase 1: ADARA: ACL(If IPSEC), Decryption, ACL, Rate limit, Accounting
Phase 2: WPRNC: Web Cache Redirect, Policy routing, Routing, NAT, Crypto-map
Phase 3: ACTEQ: ACL, Context-based Access Control (CBAC), TCP Intercept, Encryption, Queuing
Phase 1 is Input and Phase 3 is Output (Input/Output ACL’s). Phase 1 and 3 stay the same from inside-to-outside and outside-to-inside but Phase 2 changes. Phase 2 from inside-to-outside; Policy Routing and Routing is before NAT. Phase 2 from outside-to-inside; Policy Routing and Routing is switched to after NAT.
So if we take a look again to the original question: if you are doing NAT on a device, and you want to route traffic going through NAT, will you use the inside or outside NAT IP address? If you check the order of operations, you can determine that if the packet is going from inside-to-outside, you would use the public (outside) IP address because the traffic has not gone through NAT yet when it gets to the Routing operation part of the traffic.
Finally, another important list for order of operation is the “Queuing” one. Cisco has another list for the QoS Order of Operations, here it is:
Hope this was informative.