Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

nat 0 ACL and static nat

All,

I have nat 0 ACL stating an ip address should not be natted, while a static nat statement saying it should be natted. Just want to know which one will take precedence.

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions

Re: nat 0 ACL and static nat

This is the nat order of operation PIX/ASA.

the NAT (nameif) 0 acl_name takes precedence.

1. nat 0 access-list (nat-exempt)

2. Match existing xlates

3. Match static commands

a. Static NAT with and without access-list

b. Static PAT with and without access-list

4. Match nat commands

a. nat [id] access-list (first match)

b. nat [id] [address] [mask] (best match)

i. If the ID is 0, create an identity xlate

ii. Use global pool for dynamic NAT

iii. Use global pool for dynamic PAT

1 REPLY

Re: nat 0 ACL and static nat

This is the nat order of operation PIX/ASA.

the NAT (nameif) 0 acl_name takes precedence.

1. nat 0 access-list (nat-exempt)

2. Match existing xlates

3. Match static commands

a. Static NAT with and without access-list

b. Static PAT with and without access-list

4. Match nat commands

a. nat [id] access-list (first match)

b. nat [id] [address] [mask] (best match)

i. If the ID is 0, create an identity xlate

ii. Use global pool for dynamic NAT

iii. Use global pool for dynamic PAT

155
Views
0
Helpful
1
Replies