nat id order of priority

Answered Question
May 15th, 2009
User Badges:

If I have multiple Nat's for the same interface, will they be matched in order by the lowest nat-id first (other than 0)

Correct Answer by Collin Clark about 8 years 2 weeks ago

It will, but not because of nat-id order (I believe), it will because access list 2 is a longer match.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
insomniacgames_nc Fri, 05/15/2009 - 07:04
User Badges:

That list doesn't show the order of multiple nats.


I have:


nat (inside) 2 access-list list_1

nat (inside) 3 access-list list_2


access-list list_2 extended permit ip 10.100.0.0 255.255.0.0 host 65.1.1.1


access-list list_3 extended permit ip 10.100.0.0 255.255.0.0 any


will list 2 be used first if going to host 65.1.1.1 in EVERY case because the nat-id is lower than the other nat


thanks


carlos fernandez

Collin Clark Fri, 05/15/2009 - 07:09
User Badges:
  • Purple, 4500 points or more

The NAT will match the global, which is mapped to the ACL. Are you saying you have multiple globals assigned to an interface and the ACL's have the same source and you want to know which will happen first?

insomniacgames_nc Fri, 05/15/2009 - 07:27
User Badges:

yes. forgot the global cmds


access-list list_2 extended permit ip 10.100.0.0 255.255.0.0 host 65.1.1.1


access-list list_3 extended permit ip 10.100.0.0 255.255.0.0 any


global (outside) 2 65.2.2.2

global (outside) 3 65.3.3.3


nat (inside) 2 access-list list_1

nat (inside) 3 access-list list_2


If I am trying to get to 65.1.1.1, will my global source always be 65.2.2.2 because of nat-id order


thanks,


carlos


Correct Answer
Collin Clark Fri, 05/15/2009 - 07:34
User Badges:
  • Purple, 4500 points or more

It will, but not because of nat-id order (I believe), it will because access list 2 is a longer match.

insomniacgames_nc Fri, 05/15/2009 - 07:38
User Badges:

just thought of this


what I need is

access-list list_3 extended deny ip 10.100.0.0 255.255.0.0 host 65.1.1.1

access-list list_3 extended permit ip 10.100.0.0 255.255.0.0 host 65.1.1.1


carlos

Actions

This Discussion