PIX NAT.....confused

mjsully · ‎10-21-2008

We have a Pix 515 fw with an inside and outside interface that has the following static NAT:

static (inside,outside) 10.2.2.2 192.168.2.2 netmask 255.255.255.255

We also have a NAT acl that looks like:

nat (inside) 1 access-list outbound-nat

global (outside) 1 10.2.4.4

access-list outbound-nat permit ip host 192.168.2.2 host 209.240.x.x

The outbound-nat acl is showing "hits" on it, but I'm confused as to how its translating to the address in the global statement if that same source ip address 192.168.2.2 has a Static NAT defined? I thought static NAT overruled other NATs? Why would I be seeing hits on the NAT acl?

husycisco · ‎10-21-2008

Hello Matt

If I recall correct, statics take place before policy NATs as you mention. I assume the hits you see are the traffic destined to 10.2.2.2 from outside, either on purpose or not

Regards

suschoud · ‎10-21-2008

The rules are tried in order. 1) nat 0 access-list (nat-exempt) 2) match against existing xlates 3) static a) static nat with and without access-list (first match) b) static pat with and without access-list (first match) 4) nat a) nat access-list (first match) Note: nat 0 access-list is not part of this command. b) nat

(best match) Note: When choosing a global address from multiple pools with the same nat id, the following order is tried i) if the id is 0, create an identity xlate. ii) use the global pool for dynamic NAT iii) use the global pool for dynamic PAT 5) Error

I ASSUME HITS CAME " BEFORE " STATIC WAS ADDED.

WHAT SAY ?

REGARDS,

sushil