Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

nat ID processing order

Hello all;

Does anyone know and also can anyone deliver relavant infoamtion regarding the NAT ID processs flow?

I have two nat/global statements.

access-list WWW permit ip object-group COMPANY-A any

global (outside) 30 60.100.100.60 netmask 255.255.255.192

global (DMZ) 3 interface

global (DMZ2) 50 interface

nat (inside) 0 access-list NONAT

nat (inside) 30 access-list WWW 0 0

nat (inside) 50 access-list DMZ2 0 0

take my word for it. Access-list WWW and DMZ2 both match the egressing packet.

I need to know if I give the nat WWW a nat id of 90, would this solve my problem? My problem is the packet destined for dmz2 is going out the outside interface.

regards

jeff

1 ACCEPTED SOLUTION

Accepted Solutions

Re: nat ID processing order

From 6.3 command ref (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1032129):

Order of NAT Commands Used to Match Local Addresses

The firewall matches local traffic to NAT commands in the following order:

1. nat 0 access-list (NAT exemption)?In order, until the first match. For example, you could have overlapping local/destination addresses in multiple nat commands, but only the first command is matched.

2. static (static NAT)?In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.

3. static {tcp | udp} (static PAT)?In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.

4. nat nat_id access-list (policy NAT)?In order, until the first match. For example, you could have overlapping local/destination ports and addresses in multiple nat commands, but only the first command is matched.

5. nat (regular NAT)?Best match. The order of the NAT commands does not matter. The nat statement that best matches the local traffic is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you also create a statement to translate only 10.1.1.1, when 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the local traffic best.

If you configure multiple global statements on the same NAT ID, the global statements are used in this order:

1. No global if using nat 0 (identity NAT).

2. Dynamic NAT global.

3. PAT global.

1 REPLY

Re: nat ID processing order

From 6.3 command ref (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1032129):

Order of NAT Commands Used to Match Local Addresses

The firewall matches local traffic to NAT commands in the following order:

1. nat 0 access-list (NAT exemption)?In order, until the first match. For example, you could have overlapping local/destination addresses in multiple nat commands, but only the first command is matched.

2. static (static NAT)?In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.

3. static {tcp | udp} (static PAT)?In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.

4. nat nat_id access-list (policy NAT)?In order, until the first match. For example, you could have overlapping local/destination ports and addresses in multiple nat commands, but only the first command is matched.

5. nat (regular NAT)?Best match. The order of the NAT commands does not matter. The nat statement that best matches the local traffic is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you also create a statement to translate only 10.1.1.1, when 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the local traffic best.

If you configure multiple global statements on the same NAT ID, the global statements are used in this order:

1. No global if using nat 0 (identity NAT).

2. Dynamic NAT global.

3. PAT global.

230
Views
0
Helpful
1
Replies
CreatePlease to create content