Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NAT ID Priority Issue

    Hi All,

I have a Cisco ASA Firewall where it have three legs named as inside, dmz and outside with the security levels 100,50 & 0 respectively.

i have the below configuration :

nat (inside) 75 access-list outnat
nat (inside) 25 access-list dmznat

global (dmz) 25 interface
global (outside) 75 interface


access-list dmznat extended permit icmp any any

access-list outnat extended permit icmp any any

---- Now if i am trying to ping any of the Servers from the Inside towards the DMZ Server i am unable to do, But outside Servers are able to ping.

Once i removing the line " access-list outnat extended permit icmp any any" then i am able to ping all the DMZ Servers IP but not outside ip address.

Why nat id 25 is not taking more priority by default ? Once i am removing the ICMP access from nat acl outnat only i am able to ping the DMZServers.

Please help me how it is taking the nat id prioritized ?



Everyone's tags (3)

NAT ID Priority Issue

Hi Ganesan,

Nat ID's are not used for deciding the priority, they are only used to match the corresponding global statements. If you have multiple nat and global statements, they are matched from top to bottom, so when you try to ping  the DMZ, since you have any any access-list, it falls in the first nat statement, but te corresponding global for it is the global (outside) and the packet is dropped.

When you remove the first nat statement, then the DMZ traffic hits the correct nat statement, but then the inside to outside traffic is blocked, since you have removed the nat for it.

What you need to do is, specifiy very strict ACL's, lets say your dmz is and inside is, then you would just need:

nat (inside) 75

global (outside) 75 interface

global (dmz) 75 interface

Thats it and it would work like a charm, you can have multiple global statements for the same nat statement.

Hope that helps.



Thanks, Varun Rao Security Team, Cisco TAC
CreatePlease to create content