Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT,Static precedence

When NAT and Static sts. are there Static will take precedence say for ex. if the traffic is from same host and outbound. in this case will it work for outbound access using sTATIC if NAT is removed

2 REPLIES
Bronze

Re: NAT,Static precedence

if you have a host falling under a self static statement as well as under a global NAT statement, the Static NAT statement will take precedence.

Order of NAT Commands Used to Match Local Addresses

The firewall matches local traffic to NAT commands in the following order:

1. nat 0 access-list (NAT exemption)?In order, until the first match. For example, you could have overlapping local/destination addresses in multiple nat commands, but only the first command is matched.

2. static (static NAT)?In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.

3. static {tcp | udp} (static PAT)?In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.

4. nat nat_id access-list (policy NAT)?In order, until the first match. For example, you could have overlapping local/destination ports and addresses in multiple nat commands, but only the first command is matched.

5. nat (regular NAT)?Best match. The order of the NAT commands does not matter. The nat statement that best matches the local traffic is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you also create a statement to translate only 10.1.1.1, when 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the local traffic best.

--Pls rate if useful--

Re: NAT,Static precedence

Yes, it will work.

Example, if initially you used NAT/global pair to allow the internal host to go out to internet, then you changed it to static NAT i.e, "static (inside,outside) netmask 255.255.255.255", this should work.

But since you statically map it to a Public IP, be extra careful with Outside ACL that might open unnecessary ports for outsider to come into your server.

HTH

AK

347
Views
5
Helpful
2
Replies