Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1410
Views
5
Helpful
5
Replies

NAT Statement order of priority??

Go to solution
sidcracker
Level 1
Level 1

‎11-15-2010 04:23 PM - edited ‎03-11-2019 12:09 PM

Hello Everyone,

I am stuck with these two NAT statements. When I add the second NAT statement, it still uses the first NAT statement when I look at the packet-tracer input output.

There is a single "inside interface" IP Address that needs to be connected to two different VPN tunnel hosts.The Inside address is 192.168.10.20 that needs to connect to the Remote tunnel hosts 10.10.10.10 and 20.20.20.20

10.51.2.10 is the dmz NAT

10.51.2.50 is ther dmz NAT

The first nat statement is made like this

access-list OLD_VPN_192.168.10.20 extended permit ip host 192.168.10.20 10.10.10.10 255.255.255.240

static (inside, dmz) 10.51.2.10 192.168.10.20 netmask 255.255.255.255

The second nat statement is like this

access-list NEW_VPN_192.168.10.20 extended permit tcp host 192.168.10.20 20.20.20.20 eq 21

static (inside, dmz) 10.51.2.50 access-list NEW_VPN_192.168.10.20

When I see the output of packet-tracer, the traffic is going via 10.51.2.10 but its supposed to go via 10.51.2.50. Is there some priority here which I should be aware of?

Thanks

SId

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to sidcracker

‎11-15-2010 05:04 PM

Yes, you are correct.

It will match the more specific first, and if it doesn't match that particular static line, it will go down the list.

View solution in original post

5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-15-2010 04:42 PM

Can you please confirm if your first statement should be:

static (inside, dmz) 10.51.2.10 access-list OLD_VPN_192.168.10.20

instead of:

static (inside, dmz) 10.51.2.10 192.168.10.20 netmask 255.255.255.255

as posted earlier?

If it's "static (inside, dmz) 10.51.2.10 access-list OLD_VPN_192.168.10.20", then it is OK as long as you perform "clear xlate" after any of the static NAT changes.

0 Helpful

Go to solution
sidcracker
Level 1
Level 1
In response to Jennifer Halim

‎11-15-2010 04:47 PM

Hi Jennifer,

Its the same as I posted. When i do a show xlate count detailed

for the first NAT statement, i get "NAT from inside:192.168.10.20 to dmz:10.51.2.10 flags s"

For the second NAT i get "TCP PAT .........." because I am allowing only FTP and ICMP

Thanks

Sid

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to sidcracker

‎11-15-2010 04:58 PM

In that case, please flip the static NAT statement around as it's processed in order.

I would suggest that you remove both statements, then enter the commands in this order:

static (inside, dmz) 10.51.2.50 access-list NEW_VPN_192.168.10.20

static (inside, dmz) 10.51.2.10 192.168.10.20 netmask 255.255.255.255

Then "clear xlate".

0 Helpful

Go to solution
sidcracker
Level 1
Level 1
In response to Jennifer Halim

‎11-15-2010 05:03 PM

Hello Jennifer,

Thanks for the response. This solution will still allow both the NAT traffic to be sent to its destination right? Both the statics are important and for business purpose.

Thanks

Sid

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to sidcracker

‎11-15-2010 05:04 PM

Yes, you are correct.

It will match the more specific first, and if it doesn't match that particular static line, it will go down the list.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card