nat 0 ACL and static nat

Answered Question
Mar 26th, 2009
User Badges:

All,


I have nat 0 ACL stating an ip address should not be natted, while a static nat statement saying it should be natted. Just want to know which one will take precedence.


Thanks,

Correct Answer by JORGE RODRIGUEZ about 8 years 1 month ago

This is the nat order of operation PIX/ASA.


the NAT (nameif) 0 acl_name takes precedence.



1. nat 0 access-list (nat-exempt)

2. Match existing xlates

3. Match static commands

a. Static NAT with and without access-list

b. Static PAT with and without access-list

4. Match nat commands

a. nat [id] access-list (first match)

b. nat [id] [address] [mask] (best match)

i. If the ID is 0, create an identity xlate

ii. Use global pool for dynamic NAT

iii. Use global pool for dynamic PAT


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
JORGE RODRIGUEZ Thu, 03/26/2009 - 11:18
User Badges:
  • Green, 3000 points or more

This is the nat order of operation PIX/ASA.


the NAT (nameif) 0 acl_name takes precedence.



1. nat 0 access-list (nat-exempt)

2. Match existing xlates

3. Match static commands

a. Static NAT with and without access-list

b. Static PAT with and without access-list

4. Match nat commands

a. nat [id] access-list (first match)

b. nat [id] [address] [mask] (best match)

i. If the ID is 0, create an identity xlate

ii. Use global pool for dynamic NAT

iii. Use global pool for dynamic PAT


Actions

This Discussion