Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Order of NAT

hi all,

sorry for being a noob, but would like to clarify/review the order of NAT on 8.3+. referring to doc below:

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

i'm going to configure NAT on an ASA and would like to know which order for NAT will inside users going to take first?

my goal is to use PAT-2 first and PAT-1 last. would this be the default behavior?

object network PAT-1
 subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic interface

object network PAT-2
 subnet 172.27.0.0 255.255.0.0
 nat (inside,outside) dynamic 116.212.x.y

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

yes, you are correct, based

yes, you are correct, based on the configuration above, PAT-2 will take precedence over PAT-1 because PAT-2 has a more specific subnet than PAT-1.

Cisco Employee

No, if you are going to use

No, if you are going to use the outside interface IP Address, it needs to be static PAT, not static NAT.

Do you have a set of ports that needs to be opened for 172.27.252.210?

7 REPLIES
Cisco Employee

yes, you are correct, based

yes, you are correct, based on the configuration above, PAT-2 will take precedence over PAT-1 because PAT-2 has a more specific subnet than PAT-1.

hi jennifer,thanks for

hi jennifer,

thanks for confirming!

hi jeniffer,is this NAT

hi jeniffer,

is this NAT config valid?

i want to use static NAT to the outside public IP.

or should i put the mapped/global IP instead of the keyword 'interface'?

object network VTC_NCB
 host 172.27.252.210
 nat (inside,outside) static interface

Cisco Employee

If you would like to

If you would like to configure static NAT using the "outside public IP" instead of spare public IP, best practice is to configure static PAT, instead of static NAT because IP Address assigned to ASA outside interface is also needed for VPN termination (if configured), failover, etc.

ok so the IP configured on

ok so the IP configured on the 'outside' interface is 116.212.1.2

object network VTC_NCB
 host 172.27.252.210
 nat (inside,outside) static 116.212.1.2

 

this IP/interface is also used for dynamic PAT:

object network PAT-2
 subnet 172.27.0.0 255.255.0.0
 nat (inside,outside) dynamic interface

 

will the two NAT config work concurrently?

Cisco Employee

No, if you are going to use

No, if you are going to use the outside interface IP Address, it needs to be static PAT, not static NAT.

Do you have a set of ports that needs to be opened for 172.27.252.210?

hi jennifer,i think i got it.

hi jennifer,

i think i got it. will assign a dedicated spare public IP for static NAT for 172.27.252.210.

i thought this could be the same case as in IOS routers.

154
Views
15
Helpful
7
Replies
CreatePlease login to create content