Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

nat 0 ACL and static nat, which one take precedence?

All,

I have nat 0 ACL stating an ip address should not be natted, while a static nat statement saying it should be natted. Just want to know which one will take precedence.

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions

Re: nat 0 ACL and static nat, which one take precedence?

nat 0 ACL will take precedence,

Here is the nat order of operation

1)NAT exemption- When multiple NAT types/rules are set up, the security appliance tries to match traffic against the ACL in the NAT exemption rules. If there are overlapping entries in the ACL, the security appliance analyzes the ACEs until a match is found.

2)Static NAT- If there is no match found in the NAT exemption rules, the security appliance analyzes the static NAT entries in sequential order to determine a match.

3)Static PAT- If the security appliance does not find a match in NAT exemption or static NAT entries, it goes through the static PAT entries until it locates a match.

4)Policy NAT/PAT- The security appliance evaluates the policy NAT entries if it is still not able to find a match on the packet flow.

5)Identity NAT- The security appliance tries to find a match using the identity NAT statement, if one is set up to do so.

6)Dynamic NAT- If the security appliance fails to find a match using the first five rules, it checks to see if the packets need to be translated using dynamic NAT.

7)Dynamic PAT- The packets are checked against the dynamic PAT rules as the last resort, if all the previously mentioned rules fail.

5 REPLIES

Re: nat 0 ACL and static nat, which one take precedence?

nat 0 ACL will take precedence,

Here is the nat order of operation

1)NAT exemption- When multiple NAT types/rules are set up, the security appliance tries to match traffic against the ACL in the NAT exemption rules. If there are overlapping entries in the ACL, the security appliance analyzes the ACEs until a match is found.

2)Static NAT- If there is no match found in the NAT exemption rules, the security appliance analyzes the static NAT entries in sequential order to determine a match.

3)Static PAT- If the security appliance does not find a match in NAT exemption or static NAT entries, it goes through the static PAT entries until it locates a match.

4)Policy NAT/PAT- The security appliance evaluates the policy NAT entries if it is still not able to find a match on the packet flow.

5)Identity NAT- The security appliance tries to find a match using the identity NAT statement, if one is set up to do so.

6)Dynamic NAT- If the security appliance fails to find a match using the first five rules, it checks to see if the packets need to be translated using dynamic NAT.

7)Dynamic PAT- The packets are checked against the dynamic PAT rules as the last resort, if all the previously mentioned rules fail.

New Member

Re: nat 0 ACL and static nat, which one take precedence?

I have a policy NAT/PAT that I would like to take precedence over a static NAT.

How is this accomplished?

Re: nat 0 ACL and static nat, which one take precedence?

I don't think that's possible.

Gold

Re: nat 0 ACL and static nat, which one take precedence?

jschmied , you will have to convert your static nat statement into some sort of policy nat statement that takes a lower precedence.

New Member

Re: nat 0 ACL and static nat, which one take precedence?

Thanks to all for the help on this. I just wanted to let you know that the solution that worked for us was to change the policy NAT to a static NAT and then reorder the two static NAT statements to the order we wanted. Thanks again!

1207
Views
5
Helpful
5
Replies
CreatePlease to create content