Static and dynamic NAT

Unanswered Question
Oct 3rd, 2010

I have a problem with the rule that static NAT has higher priority then dynamic NAT, to be exactly that this rule doesn't work. I will explain it on example: I have LAN /24 (LAN1), that will be dynamically NAT'ed to There is also some Server with IP address (local) and (global). The second LAN (LAN2) has the network address and the traffic between LAN1 and LAN2 should not be NAT'ed.StaticNATvpn.png

Now I write on R3:
! dynamic NAT list, NAT allways to except for /24 Network
access-list 122 deny   ip
access-list 122 permit ip any
! static NAT list: NAT allways to, except for LAN2
access-list 150 deny   ip host
access-list 150 permit ip host any
ip nat inside source list 122 interface Serial0/0 overload
ip nat inside source static route-map nonat
route-map nonat permit 10
match ip address 150
But without the line
access-list 122 deny ip host any

whole traffic from will be NAT'ed to and not to!

How is it possible? Static NAT will be done first, and if the address is already set (and it is set, because with the line "access-list 122 deny ip host any" it works fine), why it will be NAT'ed again to

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Haider A.Hani Sun, 10/03/2010 - 16:25

hi mate

i think that the rule of your access list 150 is wrong.

if you want to make the traffic get into your lan 1 network so it should be in reverse.

that waht you wrote

access-list 150 deny   ip host
access-list 150 permit ip host any

this is how it should be

access-list 150 deny   ip host
access-list 150 permit any host

note: just check the formula cuz i use to ? mark

i hope this is helpful for you

Federico Coto F... Sun, 10/03/2010 - 16:36


I see the situation that you're having and I agree with you that the static NAT should take precedence.

I'm thinking that the problem might be that you have a conditional static NAT (not a plain static NAT), and since both NAT rules depend on ACLs, the traffic from the server is actually checked against both rules. This is way if you deny the server from the dynamic rule then it works fine.

I know for a fact that static NAT takes precedence over dynamic NAT on ASAs, but even though it should be the same on routers, I believe routers have more problems with NAT.

As a test can you take out the condition (route-map) to the static NAT and see if it takes precedence?

I understand this is not the way you need it, but just to confirm the priority of the static NAT over dynamic.

I will try to lab this and let you know if the same thing happen to me.


Thomas Schmitt Mon, 10/04/2010 - 04:00

You are right - the Router shows this behavior only with route-map, not with "plain" static NAT.

Is it now a bug, or works it as intended? Or may be the way I did it was not the correct one?


This Discussion