https://community.cisco.com/t5/network-security/asa-nat-command/m-p/2785519#M174034 <P>Hi CF,</P> <P>Little correction to what Mike has mentioned. There are two kind of nat which are used wit nat(...) 0. When you see &nbsp;nat 0 with access-list, then it is called 'nat exempt' for which there is no xlate created on ASA and it has the highest preference in the nat order.</P> <P>Another flavor is when you have nat 0 without an access-list which is called as 'identity nat'. This identity means nat to itself. For this nat, xlate entry is created . Please use the link below to understand the same :</P> <P>https://learningnetwork.cisco.com/thread/22575</P> <P></P> <P>Rest of the your understanding is correct as you have explained for dynamic nat.</P> <P></P> <P>Hope it helps.</P> <P>Regards.</P> <P>Akshay Rastogi</P> <P>Remember to rate helpful posts.</P> Wed, 16 Dec 2015 11:09:42 GMT Akshay Rastogi 2015-12-16T11:09:42Z https://community.cisco.com/t5/network-security/asa-nat-command/m-p/2785517#M174032 <P>Hello,</P> <P>I am a newbie to the Cisco ASA world. So I am finding it difficult to understand certain configuration especially the ones configured in older versions.</P> <P>Can you please help me to understand the meaning of these commands:</P> <P><EM>global (outside) 13 interface</EM><BR /><EM>nat (inside) 0 access-list 10</EM>&nbsp; --&gt; My assumption is ACL 10 entries are exempted from NATing since its in Nat rule position 0<BR /><EM>nat (inside) 13 0.0.0.0 0.0.0.0</EM><BR /><EM>nat (dmz) 0 access-list 12</EM> --&gt; My assumption is ACL 12 entries are exempted from NATing since its in Nat rule position 0</P> <P></P> <P>My assumption about the other two statements is they are connected each other(They both share rule position 13). So any IP that hits the internal interface will be NATed with the interface IP of external interface. Am I right?</P> <P>CF</P> Tue, 12 Mar 2019 07:02:08 GMT https://community.cisco.com/t5/network-security/asa-nat-command/m-p/2785517#M174032 Cisco Freak 2019-03-12T07:02:08Z https://community.cisco.com/t5/network-security/asa-nat-command/m-p/2785518#M174033 <P>Short answer, yes. you are correct.&nbsp;</P> <P>ACL 12 can have a source/dest and from that source/des comming from the DMZ interface the traffic is not going to be natted.&nbsp;</P> <P>Same logic for the other one.&nbsp;</P> <P></P> <P>There are some rules in regards to the order of operation. Nat0 IS only beaten if there is an existing NAT session going on (existing xlate), the rest of the order goes as follows&nbsp;</P> <P></P> <P>Existing Xlate (sh xlate)&nbsp;</P> <P>Nat0&nbsp;</P> <P>Static NAT -----First match on the list (sh run static)&nbsp;</P> <P>Static PAT (port forward)---First match on the list <STRONG></STRONG><SPAN>(sh run static)&nbsp;</SPAN></P> <P>Regular NAT (Nat and global commands)----Best match (most specific)&nbsp;</P> <P></P> <P>Cheers&nbsp;</P> <P>Mike.&nbsp;</P> <P><SPAN></SPAN></P> Tue, 15 Dec 2015 05:55:33 GMT https://community.cisco.com/t5/network-security/asa-nat-command/m-p/2785518#M174033 Maykol Rojas 2015-12-15T05:55:33Z https://community.cisco.com/t5/network-security/asa-nat-command/m-p/2785519#M174034 <P>Hi CF,</P> <P>Little correction to what Mike has mentioned. There are two kind of nat which are used wit nat(...) 0. When you see &nbsp;nat 0 with access-list, then it is called 'nat exempt' for which there is no xlate created on ASA and it has the highest preference in the nat order.</P> <P>Another flavor is when you have nat 0 without an access-list which is called as 'identity nat'. This identity means nat to itself. For this nat, xlate entry is created . Please use the link below to understand the same :</P> <P>https://learningnetwork.cisco.com/thread/22575</P> <P></P> <P>Rest of the your understanding is correct as you have explained for dynamic nat.</P> <P></P> <P>Hope it helps.</P> <P>Regards.</P> <P>Akshay Rastogi</P> <P>Remember to rate helpful posts.</P> Wed, 16 Dec 2015 11:09:42 GMT https://community.cisco.com/t5/network-security/asa-nat-command/m-p/2785519#M174034 Akshay Rastogi 2015-12-16T11:09:42Z