Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
mahesh18
mahesh18
Community Member
‎08-05-2013 10:46 AM
‎08-05-2013 10:46 AM

Moving Manual NAT to section 3 (after auto nat)

Hi All,

We have 3 sections of NAT

1>Manual NAT

2>Auto NAT

3>Manual NAt after Auto.

Lets say on ASA  we config Manual and Auto Nat.

Now Order of NAT  is

1>Manual

2>Auto

If i move the Manual NAT  to section 3 of NAT  which is Manual NAT  after auto NAT.

Now Order of NAT  is

2>Auto

3>Manual NAT  after Auto.

Now when i try to do Process Manual NATafter auto  section number 3 it does not work as it hits Auto NAt and does not go down.

Need to know the reason behind this?

Regards

MAhesh

Labels:
0 Helpful
Reply
2 ACCEPTED SOLUTIONS

Accepted Solutions
Jouni Forss
Jouni Forss Super Bronze
Super Bronze
‎08-05-2013 10:52 AM
‎08-05-2013 10:52 AM

Moving Manual NAT to section 3 (after auto nat)

Hi Mahesh,

Essentially the main order of the NAT is this

  • Manual NAT (Section 1)
  • Auto NAT (Section 2)
  • Manual NAT (Section 3)

When for example traffic from your LAN comes to the ASA the ASA will go through your NAT conrfigurations in order from Section 1 to Section 2 to Section 3 UNTIL a match is found for the connection according to its source/destination IP/port.

So what your are seeing is that you have atleast 2 NAT rules that match the same connection attempt and after you move a Section 1 Manual NAT to Section 3 Manual NAT that means that some NAT configuration/rule in Section 2 is now probably matching the traffic and therefore the Section 3 Manual NAT is not matched anymore. This is simply because of the above mentioned ordering/priority of the NAT rules/configurations.

- Jouni

0 Helpful
Reply
Jouni Forss
Jouni Forss Super Bronze
Super Bronze
‎08-05-2013 10:57 AM
‎08-05-2013 10:57 AM

Re: Moving Manual NAT to section 3 (after auto nat)

Also as a little side note,

There is also difference in the ordering of the NAT configurations depending on the Section

  • Section 1 and Section 3 Manual NAT rules are always gone through in the order you see them in the actual CLI configuration. So you might have 2 completely working rules BUT if they are in the wrong order it might be that other one of them is never used
  • Section 2 Auto NAT rules are processed in an order that you dont usually decide yourself. The ASA puts them in order according to how they were configured.

So in a nutshell. You can manually set the order of the Manual NAT rules but Auto NAT rules are ordered automatically by the ASA itself.

You can see the current order of the Auto NAT rules with the command

show nat

- Jouni

0 Helpful
Reply
3 REPLIES
Jouni Forss
Jouni Forss Super Bronze
Super Bronze
‎08-05-2013 10:52 AM
‎08-05-2013 10:52 AM

Moving Manual NAT to section 3 (after auto nat)

Hi Mahesh,

Essentially the main order of the NAT is this

  • Manual NAT (Section 1)
  • Auto NAT (Section 2)
  • Manual NAT (Section 3)

When for example traffic from your LAN comes to the ASA the ASA will go through your NAT conrfigurations in order from Section 1 to Section 2 to Section 3 UNTIL a match is found for the connection according to its source/destination IP/port.

So what your are seeing is that you have atleast 2 NAT rules that match the same connection attempt and after you move a Section 1 Manual NAT to Section 3 Manual NAT that means that some NAT configuration/rule in Section 2 is now probably matching the traffic and therefore the Section 3 Manual NAT is not matched anymore. This is simply because of the above mentioned ordering/priority of the NAT rules/configurations.

- Jouni

0 Helpful
Reply
mahesh18
mahesh18
Community Member
‎08-05-2013 10:56 AM
‎08-05-2013 10:56 AM

Moving Manual NAT to section 3 (after auto nat)

Thanks Jouni

I got it now

Best reagrds

MAhesh

0 Helpful
Reply
Jouni Forss
Jouni Forss Super Bronze
Super Bronze
‎08-05-2013 10:57 AM
‎08-05-2013 10:57 AM

Re: Moving Manual NAT to section 3 (after auto nat)

Also as a little side note,

There is also difference in the ordering of the NAT configurations depending on the Section

  • Section 1 and Section 3 Manual NAT rules are always gone through in the order you see them in the actual CLI configuration. So you might have 2 completely working rules BUT if they are in the wrong order it might be that other one of them is never used
  • Section 2 Auto NAT rules are processed in an order that you dont usually decide yourself. The ASA puts them in order according to how they were configured.

So in a nutshell. You can manually set the order of the Manual NAT rules but Auto NAT rules are ordered automatically by the ASA itself.

You can see the current order of the Auto NAT rules with the command

show nat

- Jouni

0 Helpful
Reply
Latest Documents
Upgrade Chassis Manager (FXOS)
Created by Jeet Kumar on 02-23-2018 02:51 AM
2
15
2
15
    Login to the FXOS chassis manager. Direct your browser to https://hostname/, and log-in using the user-name and password.     Go to Help > About and check the current version:    Check the current version availa... view more
ASA 5506-X with ipv6 no access to internet
Created by Klaxel on 02-08-2018 01:25 AM
3
5
3
5
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6. In Syslog I also se... view more
Firepower Threat Defense (NGFWv) on UCS E-Series blade on ISR 4K - Routed Mode in HA
Created by Kureli Sankar on 11-12-2017 09:26 PM
0
5
0
5
Documentation UCS E-Series Configuration Guide: http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/2-0/gs/guide/b_2_0_Getting_Started_Guide.html Cisco UCS E-Series Getting Started Guide: https://www.cisco.com/c/en/us/td/docs/unified_computing/... view more
All Documents
294
Views
0
Helpful
3
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
AnyConnect Certificate Based Authentication.
Created by Marvin Ruiz on 08-27-2012 05:20 PM
36
70
36
70
BLOG (No Title)
Created by athukral on 06-14-2011 04:23 AM
15
35
15
35
Wireless Hacking
Created by Anim Saxena on 01-24-2013 07:56 AM
2
20
2
20
All Blogs