nat order and deny statements in acl's

Unanswered Question
Jun 12th, 2007

I have recently upgraded an ASA from version 7.0 to 7.2.2. After the upgrade a number of nat statements had been removed. This was related to icmp specific acl's in the nat acl's. After resolving this, the nat statements were re-added at the end of the nat list. The problem is that the ASA seems to match nat 3 rather than nat 2 (which is now at the end of the list) . I have added a deny to the access-list for the specific traffic for nat3 however the ASA still seems to be matching the acl for nat3.

I have used deny statements in nat acl's before and haven't had a problem however this doesn't appear to be working.

The acl's for the nat statements are below.

access-list nat0-inside line 1 extended deny ip

access-list nat3-inside line 1 extended deny ip

ess-list nat2-inside line 1 extended permit ip

Output for the packet-tracer is below.

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW


nat (inside) 0 access-list nat0-inside

nat (inside) 3 access-list nat3-inside

match ip inside outside

dynamic translation to pool 3 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Any assistance would be apprecitated!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jaffer_sathik2010 Wed, 06/13/2007 - 04:45


You have created 3 access-lists with different names so confusion in the ordering!!! (Each acl has only one entry).

Regarding nat,it will be processed one after one from top to bottom.

[If you are using both static nat and dynamic nat ,static nat will take the priority].

In your senario,since you have attched Acl-3 with nat3, acl-2 will not come into play anymore.

So,remove the following command,

nat(inside)3 access-list nat3-inside

Add the following one.

nat(inside)3 access-list nat2-inside.

[Just changed the access-list]

Hope it helps.


acomiskey Wed, 06/13/2007 - 04:45

There isn't a nat command in your config which references nat2. The one in your config references nat3 which is why it is matching it.

david.buitendag... Wed, 06/13/2007 - 14:33

Thanks for your replies. I do have a global for the nat 2, I just didn't post it. I only posted the config relevent to the subject.

The nat 2 statement comes after the nat 3 statement as it was removed from the config after the upgrade. I was just enquiring if anyone has had any problems using a deny in the acl's for the nat statements and if a deny in the acl's would ignore the specific traffic for NAT? BUt not to worry... I will simply remove the current NAT statements and put them back in the same order that they were prior to the upgrade.


This Discussion