cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
525
Views
0
Helpful
3
Replies

nat order and deny statements in acl's

david.buitendag
Level 1
Level 1

I have recently upgraded an ASA from version 7.0 to 7.2.2. After the upgrade a number of nat statements had been removed. This was related to icmp specific acl's in the nat acl's. After resolving this, the nat statements were re-added at the end of the nat list. The problem is that the ASA seems to match nat 3 rather than nat 2 (which is now at the end of the list) . I have added a deny to the access-list for the specific traffic for nat3 however the ASA still seems to be matching the acl for nat3.

I have used deny statements in nat acl's before and haven't had a problem however this doesn't appear to be working.

The acl's for the nat statements are below.

access-list nat0-inside line 1 extended deny ip 172.18.0.0 255.255.0.0 161.143.48.0 255.255.255.0

access-list nat3-inside line 1 extended deny ip 172.18.0.0 255.255.0.0 161.143.48.0 255.255.255.0

ess-list nat2-inside line 1 extended permit ip 172.18.0.0 255.255.0.0 161.143.48.0 255.255.255.0

Output for the packet-tracer is below.

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 0 access-list nat0-inside

nat (inside) 3 access-list nat3-inside

match ip inside 172.18.0.0 255.255.0.0 outside 161.143.48.0 255.255.255.0

dynamic translation to pool 3 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Any assistance would be apprecitated!

3 Replies 3

Hi,

You have created 3 access-lists with different names so confusion in the ordering!!! (Each acl has only one entry).

Regarding nat,it will be processed one after one from top to bottom.

[If you are using both static nat and dynamic nat ,static nat will take the priority].

In your senario,since you have attched Acl-3 with nat3, acl-2 will not come into play anymore.

So,remove the following command,

nat(inside)3 access-list nat3-inside

Add the following one.

nat(inside)3 access-list nat2-inside.

[Just changed the access-list]

Hope it helps.

--Jaffer

acomiskey
Level 10
Level 10

There isn't a nat command in your config which references nat2. The one in your config references nat3 which is why it is matching it.

Thanks for your replies. I do have a global for the nat 2, I just didn't post it. I only posted the config relevent to the subject.

The nat 2 statement comes after the nat 3 statement as it was removed from the config after the upgrade. I was just enquiring if anyone has had any problems using a deny in the acl's for the nat statements and if a deny in the acl's would ignore the specific traffic for NAT? BUt not to worry... I will simply remove the current NAT statements and put them back in the same order that they were prior to the upgrade.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: