Solved: nat 0 ACL and static nat, which one take precedence?

yuhuiyao · ‎03-26-2009

All,

I have nat 0 ACL stating an ip address should not be natted, while a static nat statement saying it should be natted. Just want to know which one will take precedence.

Thanks,

vikram_anumukonda · ‎03-26-2009

nat 0 ACL will take precedence,

Here is the nat order of operation

1)NAT exemption- When multiple NAT types/rules are set up, the security appliance tries to match traffic against the ACL in the NAT exemption rules. If there are overlapping entries in the ACL, the security appliance analyzes the ACEs until a match is found.

2)Static NAT- If there is no match found in the NAT exemption rules, the security appliance analyzes the static NAT entries in sequential order to determine a match.

3)Static PAT- If the security appliance does not find a match in NAT exemption or static NAT entries, it goes through the static PAT entries until it locates a match.

4)Policy NAT/PAT- The security appliance evaluates the policy NAT entries if it is still not able to find a match on the packet flow.

5)Identity NAT- The security appliance tries to find a match using the identity NAT statement, if one is set up to do so.

6)Dynamic NAT- If the security appliance fails to find a match using the first five rules, it checks to see if the packets need to be translated using dynamic NAT.

7)Dynamic PAT- The packets are checked against the dynamic PAT rules as the last resort, if all the previously mentioned rules fail.

View solution in original post

vikram_anumukonda · ‎03-26-2009

nat 0 ACL will take precedence,

Here is the nat order of operation

1)NAT exemption- When multiple NAT types/rules are set up, the security appliance tries to match traffic against the ACL in the NAT exemption rules. If there are overlapping entries in the ACL, the security appliance analyzes the ACEs until a match is found.

2)Static NAT- If there is no match found in the NAT exemption rules, the security appliance analyzes the static NAT entries in sequential order to determine a match.

3)Static PAT- If the security appliance does not find a match in NAT exemption or static NAT entries, it goes through the static PAT entries until it locates a match.

4)Policy NAT/PAT- The security appliance evaluates the policy NAT entries if it is still not able to find a match on the packet flow.

5)Identity NAT- The security appliance tries to find a match using the identity NAT statement, if one is set up to do so.

6)Dynamic NAT- If the security appliance fails to find a match using the first five rules, it checks to see if the packets need to be translated using dynamic NAT.

7)Dynamic PAT- The packets are checked against the dynamic PAT rules as the last resort, if all the previously mentioned rules fail.

jschmied · ‎04-02-2009

I have a policy NAT/PAT that I would like to take precedence over a static NAT.

How is this accomplished?

vikram_anumukonda · ‎04-02-2009

I don't think that's possible.

srue · ‎04-02-2009

jschmied , you will have to convert your static nat statement into some sort of policy nat statement that takes a lower precedence.

jschmied · ‎04-08-2009

Thanks to all for the help on this. I just wanted to let you know that the solution that worked for us was to change the policy NAT to a static NAT and then reorder the two static NAT statements to the order we wanted. Thanks again!