Policy NAT sequence numbers

Answered Question
Oct 8th, 2007
User Badges:

When doing policy NAT on PIX 515e I have a question about sequence numbers?e.g. (nat (inside) 0,1,2,3?.). I know it reads down the list to find a match much like an access-list would, but is there some predefined settings for this so that access-list based addresses will come first in this setup rather than default statements? Or why would in the example below **nat (inside) 1** get to the bottom? (I know that they should be at the bottom seeing as how it is a default statement but I thought the rule would look at the sequence number and not line location in the config..

nat (inside) 0 access-list nat_zero

nat (inside) 2 access-list nat2_acl

nat (inside) 3 access-list nat3_acl

nat (inside) 4 access-list nat4_acl

nat (inside) 1 0.0.0.0 0.0.0.0


Can anybody explain this?


Thanks


Correct Answer by sundar.palaniappan about 9 years 5 months ago

Policy NAT takes precedence over regular NAT and the matching isn't always based on NAT ID sequence #. Here's the order in which NAT commands are used to match.


Order of NAT Commands Used to Match Local Addresses


The firewall matches local traffic to NAT commands in the following order:


1. nat 0 access-list (NAT exemption)?In order, until the first match. For example, you could have overlapping local/destination addresses in multiple nat commands, but only the first command is matched.


2. static (static NAT)?In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.


3. static {tcp | udp} (static PAT)?In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.


4. nat nat_id access-list (policy NAT)?In order, until the first match. For example, you could have overlapping local/destination ports and addresses in multiple nat commands, but only the first command is matched.


5. nat (regular NAT)?Best match. The order of the NAT commands does not matter. The nat statement that best matches the local traffic is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you also create a statement to translate only 10.1.1.1, when 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the local traffic best.


http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129


HTH


Sundar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
sundar.palaniappan Mon, 10/08/2007 - 12:27
User Badges:
  • Green, 3000 points or more

Policy NAT takes precedence over regular NAT and the matching isn't always based on NAT ID sequence #. Here's the order in which NAT commands are used to match.


Order of NAT Commands Used to Match Local Addresses


The firewall matches local traffic to NAT commands in the following order:


1. nat 0 access-list (NAT exemption)?In order, until the first match. For example, you could have overlapping local/destination addresses in multiple nat commands, but only the first command is matched.


2. static (static NAT)?In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.


3. static {tcp | udp} (static PAT)?In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.


4. nat nat_id access-list (policy NAT)?In order, until the first match. For example, you could have overlapping local/destination ports and addresses in multiple nat commands, but only the first command is matched.


5. nat (regular NAT)?Best match. The order of the NAT commands does not matter. The nat statement that best matches the local traffic is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you also create a statement to translate only 10.1.1.1, when 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the local traffic best.


http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129


HTH


Sundar

thefindjack Mon, 10/08/2007 - 12:50
User Badges:

I know my question was a little difficult to follow but your answer was just what I was looking for. Thanks for the help in understanding this topic!


Actions

This Discussion