Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT Statement order of priority??

Hello Everyone,

I am stuck with these two NAT statements. When I add the second NAT statement, it still uses the first NAT statement when I look at the packet-tracer input output.

There is a single "inside interface" IP Address that needs to be connected to two different VPN tunnel hosts.The Inside address is 192.168.10.20 that needs to connect to the Remote tunnel hosts 10.10.10.10 and 20.20.20.20

10.51.2.10 is the dmz NAT

10.51.2.50 is ther dmz NAT

The first nat statement is made like this

access-list OLD_VPN_192.168.10.20 extended permit ip host 192.168.10.20 10.10.10.10 255.255.255.240

static (inside, dmz) 10.51.2.10 192.168.10.20 netmask 255.255.255.255

The second nat statement is like this

access-list NEW_VPN_192.168.10.20 extended permit tcp host 192.168.10.20 20.20.20.20 eq 21

static (inside, dmz) 10.51.2.50 access-list NEW_VPN_192.168.10.20

When I see the output of packet-tracer, the traffic is going via 10.51.2.10 but its supposed to go via 10.51.2.50. Is there some priority here which I should be aware of?

Thanks

SId

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: NAT Statement order of priority??

Yes, you are correct.

It will match the more specific first, and if it doesn't match that particular static line, it will go down the list.

5 REPLIES
Cisco Employee

Re: NAT Statement order of priority??

Can you please confirm if your first statement should be:

static (inside, dmz) 10.51.2.10 access-list OLD_VPN_192.168.10.20

instead of:

static (inside, dmz) 10.51.2.10 192.168.10.20 netmask 255.255.255.255

as posted earlier?

If it's "static (inside, dmz) 10.51.2.10 access-list OLD_VPN_192.168.10.20", then it is OK as long as you perform "clear xlate" after any of the static NAT changes.

New Member

Re: NAT Statement order of priority??

Hi Jennifer,

Its the same as I posted. When i do a show xlate count detailed

for the first NAT statement, i get "NAT from inside:192.168.10.20 to dmz:10.51.2.10 flags s"

For the second NAT i get "TCP PAT .........." because I am allowing only FTP and ICMP

Thanks

Sid

Cisco Employee

Re: NAT Statement order of priority??

In that case, please flip the static NAT statement around as it's processed in order.

I would suggest that you remove both statements, then enter the commands in this order:

static (inside, dmz) 10.51.2.50 access-list NEW_VPN_192.168.10.20

static (inside, dmz) 10.51.2.10 192.168.10.20 netmask 255.255.255.255

Then "clear xlate".

New Member

Re: NAT Statement order of priority??

Hello Jennifer,

Thanks for the response. This solution will still allow both the NAT traffic to be sent to its destination right? Both the statics are important and for business purpose.

Thanks

Sid

Cisco Employee

Re: NAT Statement order of priority??

Yes, you are correct.

It will match the more specific first, and if it doesn't match that particular static line, it will go down the list.

972
Views
5
Helpful
5
Replies
CreatePlease to create content