Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Translation Preference

Hi,

Want to know by what preference does translation in the Firewall takes place.

Static nat , nonat , PAT , policy nat...

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Translation Preference

Order of NAT Commands Used to Match Real Addresses

The security appliance matches real addresses to NAT commands in the following order:

1. NAT exemption (nat 0 access-list)?In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.

2. Static NAT and Static PAT (regular and policy) (static)?In order, until the first match. Static identity NAT is included in this category.

3. Policy dynamic NAT (nat access-list)?In order, until the first match. Overlapping addresses are allowed.

4. Regular dynamic NAT (nat)?Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the security appliance.

Also see:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a00804522f6.html

Under the chapter applying nat.

2 REPLIES

Re: Translation Preference

Hi by experience .. I would say that static always takes precedence over no nat PAT and policy PAT. Now if there is a "conflict between PAT and nat0 I believe Nat0 will take precedence.

would be interesting to know what other guys have to say !!!

New Member

Re: Translation Preference

Order of NAT Commands Used to Match Real Addresses

The security appliance matches real addresses to NAT commands in the following order:

1. NAT exemption (nat 0 access-list)?In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.

2. Static NAT and Static PAT (regular and policy) (static)?In order, until the first match. Static identity NAT is included in this category.

3. Policy dynamic NAT (nat access-list)?In order, until the first match. Overlapping addresses are allowed.

4. Regular dynamic NAT (nat)?Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the security appliance.

Also see:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a00804522f6.html

Under the chapter applying nat.

380
Views
0
Helpful
2
Replies