Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

nat order and deny statements in acl's

I have recently upgraded an ASA from version 7.0 to 7.2.2. After the upgrade a number of nat statements had been removed. This was related to icmp specific acl's in the nat acl's. After resolving this, the nat statements were re-added at the end of the nat list. The problem is that the ASA seems to match nat 3 rather than nat 2 (which is now at the end of the list) . I have added a deny to the access-list for the specific traffic for nat3 however the ASA still seems to be matching the acl for nat3.

I have used deny statements in nat acl's before and haven't had a problem however this doesn't appear to be working.

The acl's for the nat statements are below.

access-list nat0-inside line 1 extended deny ip

access-list nat3-inside line 1 extended deny ip

ess-list nat2-inside line 1 extended permit ip

Output for the packet-tracer is below.

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW


nat (inside) 0 access-list nat0-inside

nat (inside) 3 access-list nat3-inside

match ip inside outside

dynamic translation to pool 3 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Any assistance would be apprecitated!

New Member

Re: nat order and deny statements in acl's


You have created 3 access-lists with different names so confusion in the ordering!!! (Each acl has only one entry).

Regarding nat,it will be processed one after one from top to bottom.

[If you are using both static nat and dynamic nat ,static nat will take the priority].

In your senario,since you have attched Acl-3 with nat3, acl-2 will not come into play anymore.

So,remove the following command,

nat(inside)3 access-list nat3-inside

Add the following one.

nat(inside)3 access-list nat2-inside.

[Just changed the access-list]

Hope it helps.



Re: nat order and deny statements in acl's

There isn't a nat command in your config which references nat2. The one in your config references nat3 which is why it is matching it.

New Member

Re: nat order and deny statements in acl's

Thanks for your replies. I do have a global for the nat 2, I just didn't post it. I only posted the config relevent to the subject.

The nat 2 statement comes after the nat 3 statement as it was removed from the config after the upgrade. I was just enquiring if anyone has had any problems using a deny in the acl's for the nat statements and if a deny in the acl's would ignore the specific traffic for NAT? BUt not to worry... I will simply remove the current NAT statements and put them back in the same order that they were prior to the upgrade.

CreatePlease to create content