https://community.cisco.com/t5/network-security/changing-priority-of-static-nat-over-nat-exempt-rule/m-p/3217376#M1042644 Hi<BR /><BR />Here an explain on how may is processed on asa:<BR /><A href="https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050" target="_blank">https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050</A><BR /><BR />Can you share your config and give us the source ip and destination ip? With that information we'll be able to help you.<BR /> Thu, 16 Nov 2017 03:55:48 GMT Francesco Molino 2017-11-16T03:55:48Z https://community.cisco.com/t5/network-security/changing-priority-of-static-nat-over-nat-exempt-rule/m-p/3217266#M1042642 <P>Hello,</P> <P>&nbsp;</P> <P>Suppose we have two NAT rules under 'NAT Rules';</P> <P>&nbsp;</P> <P>#&nbsp;&nbsp;&nbsp; Type&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Original (Source)&nbsp;&nbsp;&nbsp;&nbsp; Original (Destination)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Interface (Translated) &nbsp; &nbsp; Address(Translated)</P> <P>1&nbsp;&nbsp;&nbsp; Exempt&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ANY&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ANY&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Outbound<BR />2&nbsp;&nbsp;&nbsp; Static&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Web_internal&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ANY&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Outside (Web_external)</P> <P>Firewall accept inbound access to the external IP address (Statically NATed) of Web_external however I'm seeing asymmetric routing issue on ASA log.</P> <P>&nbsp;</P> <P><FONT color="#FF0000">Asymmetric NAT rules matched for forward and reverse flows- denied due to NAT reverse path failure.</FONT></P> <P>&nbsp;</P> <P>I see NAT exemption rule (#1) is overwritting statc NAT for the outbound.<BR />Is there any way we could put the highest priority on Static NAT over NAT exemption rule?</P> <P>There is up/down arrow for both NAT exemption and static rule but static rule can not go above the NAT exemption rule. </P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 21 Feb 2020 14:45:41 GMT https://community.cisco.com/t5/network-security/changing-priority-of-static-nat-over-nat-exempt-rule/m-p/3217266#M1042642 jon.seung@applecaremedical.com 2020-02-21T14:45:41Z https://community.cisco.com/t5/network-security/changing-priority-of-static-nat-over-nat-exempt-rule/m-p/3217376#M1042644 Hi<BR /><BR />Here an explain on how may is processed on asa:<BR /><A href="https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050" target="_blank">https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050</A><BR /><BR />Can you share your config and give us the source ip and destination ip? With that information we'll be able to help you.<BR /> Thu, 16 Nov 2017 03:55:48 GMT https://community.cisco.com/t5/network-security/changing-priority-of-static-nat-over-nat-exempt-rule/m-p/3217376#M1042644 Francesco Molino 2017-11-16T03:55:48Z