Nat rule order – Cisco ASA 5505 User Manual

Page 574

Advertising
background image

29-20

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 29 Information About NAT

NAT Rule Order

NAT Rule Order

Network object NAT rules and twice NAT rules are stored in a single table that is divided into three
sections. Section 1 rules are applied first, then section 2, and finally section 3.

Table 29-1

shows the

order of rules within each section.

For section 2 rules, for example, you have the following IP addresses defined within network objects:

192.168.1.0/24 (static)

192.168.1.0/24 (dynamic)

10.1.1.0/24 (static)

192.168.1.1/32 (static)

172.16.1.0/24 (dynamic) (object def)

172.16.1.0/24 (dynamic) (object abc)

Table 29-1

NAT Rule Table

Table Section

Rule Type

Order of Rules within the Section

Section 1

Twice NAT

Applied on a first match basis, in the order they appear in the
configuration. By default, twice NAT rules are added to
section 1.

Note

If you configure EasyVPN remote, the ASA
dynamically adds invisible NAT rules to the end of this
section. Be sure that you do not configure a twice NAT
rule in this section that might match your VPN traffic,
instead of matching the invisible rule. If VPN does not
work due to NAT failure, consider adding twice NAT
rules to section 3 instead.

Section 2

Network object NAT

Section 2 rules are applied in the following order, as
automatically determined by the ASA:

1.

Static rules.

2.

Dynamic rules.

Within each rule type, the following ordering guidelines are
used:

a.

Quantity of real IP addresses—From smallest to
largest. For example, an object with one address will
be assessed before an object with 10 addresses.

b.

For quantities that are the same, then the IP address
number is used, from lowest to highest. For example,
10.1.1.0 is assessed before 11.1.1.0.

c.

If the same IP address is used, then the name of the
network object is used, in alphabetical order. For
example, abracadabra is assessed before catwoman.

Section 3

Twice NAT

Section 3 rules are applied on a first match basis, in the order
they appear in the configuration. You can specify whether to
add a twice NAT rule to section 3 when you add the rule.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals