nat Question

Answered Question
Aug 30th, 2009
User Badges:

I have a question about nat. I have the following config in a ASA firewall:

nat (outside) 4 10.0.0.99 255.255.255.255

nat (outside) 4 10.0.1.66 255.255.255.255

nat (outside) 4 10.0.0.128 255.255.255.255

nat (outside) 4 10.0.1.0 255.255.255.0

nat (outside) 0 10.1.0.0 255.255.255.0

nat (outside) 0 10.2.0.0 255.255.255.0


Are there nat commands that are doing the same? If I understand nat'ing, this command:

nat (outside) 4 10.0.1.0 255.255.255.0

covers these commands

nat (outside) 4 10.0.1.66 255.255.255.255

And these:

nat (outside) 4 10.0.1.0 255.255.255.0

covers?

nat (outside) 4 10.0.1.66 255.255.255.255

are doing the same thing.


Also,

nat (name) 5 172.19.0.222 255.255.255.255

nat (name) 2 172.19.0.0 255.255.255.0

Which command will the FW look at first? Is the first command necessary?


I would appreciate an explanation of these natting commands. I have a situation of many natting commands and it looks like some are doing the same thing.



Correct Answer by Hitesh Vinzoda about 7 years 6 months ago

Hi,


Please rate the post.. if the answer was helpful


Regards


Hitesh Vinzoda

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Hitesh Vinzoda Sun, 08/30/2009 - 22:40
User Badges:
  • Silver, 250 points or more

The security appliance matches real addresses to NAT commands in the following order:

1. NAT exemption (nat 0 access-list)-In order, until the first match. Identity NAT is not included in

this category; it is included in the regular static NAT or regular NAT category. We do not recommend

overlapping addresses in NAT exemption statements because unexpected results can occur.

2. Static NAT and Static PAT (regular and policy) (static)-In order, until the first match. Static

identity NAT is included in this category.

3. Policy dynamic NAT (nat access-list)-In order, until the first match. Overlapping addresses are

allowed.

4. Regular dynamic NAT (nat)-Best match. Regular identity NAT is included in this category. The

order of the NAT commands does not matter; the NAT statement that best matches the real address

is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an

interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you

can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific

statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using

overlapping statements; they use more memory and can slow the performance of the security

appliance.


HTH


Regards


Hitesh Vinzoda

stoneystone Tue, 09/01/2009 - 06:27
User Badges:

Hitesh,

Thanks for the explaination. I appreciate your time.

Correct Answer
Hitesh Vinzoda Tue, 09/01/2009 - 08:14
User Badges:
  • Silver, 250 points or more

Hi,


Please rate the post.. if the answer was helpful


Regards


Hitesh Vinzoda

Actions

This Discussion