topic Policy Dynamic NAT on ASA - Matching Order in Network Security

Policy Dynamic NAT on ASA - Matching Order

ds6123 — Mon, 11 Mar 2019 22:09:37 GMT

I have in my ASA, config like this:

nat (inside) 1 access-list ACL1

nat (inside) 4 access-list ACL4

nat (inside) 3 access-list ACL3

The document *here* says "Policy dynamic NAT (nat access-list) — In order, until the first match. Overlapping addresses are allowed."

Now I always thought that meant, the order of the numbers in your NAT statement (as opposed to the order they show in your config). Packet-tracer suggests that I'm wrong, however. So it's really the order of the the policy NAT statements in the config? Is there a way to gracefully re-order these elements without doing a:

no nat (inside) 4 access-list ACL4

nat (inside) 4 access-list ACL4

Policy Dynamic NAT on ASA - Matching Order

Julio Carvajal — Tue, 03 Jan 2012 22:55:43 GMT

Hello,

If you do a show run nat you are going to see the order of the nat statements in your asa, as soon as one packet matches a nat rule it will use that nat.

If you want you can provide us the show run access-list ,sh run nat ,sh run global and finally the packet tracer so I can analize it for you.

Do rate helpful posts

Julio

Policy Dynamic NAT on ASA - Matching Order

ds6123 — Tue, 03 Jan 2012 23:09:56 GMT

Thanks Julio,

The statements above are the order it appears in the config, which is the same as the "show run nat". So...

show run nat

nat (inside) 1 access-list ACL1

nat (inside) 4 access-list ACL4

nat (inside) 3 access-list ACL3

Notice the order of 3 and 4.

So what you're saying is the order the statements appear in the config is what determines what is matched first (which seems to be what's happening). So ACL1, *ACL4* then ACL3 (the order in the config)? As opposed to ACL1, ACL3 then ACL4 (numberical order of the identifier within the NAT statement).

The config is kinda sanitized, so other info might not make sense. But basically the packet-tracer is saying ACL4 is matching. And technically, ACL4 *does* match, so it unfortunately never reaches ACL3.

Now, I know the fix to this. Just delete nat statement 4 and re-add it. But nat statement 4 is super critical to operations. And I wanted confirmation that my thought process was correct, and that there isn't an easier way to re-order the nat statements in the running config besides deleting them (and causing a temporary outage) and re-adding.

Know what I mean?

Policy Dynamic NAT on ASA - Matching Order

Julio Carvajal — Tue, 03 Jan 2012 23:41:19 GMT

Hello,

That is correct, the ASA has a order to follow talking about NAT

The ASA matches real addresses to NAT rules in the following order:

1. NAT exemption—In order, until the first match.

2. Static NAT and Static PAT (regular and policy)—In order, until the first match. Static identity NAT

is included in this category.

3. Policy dynamic NAT—In order, until the first match. Overlapping addresses are allowed.

4. Regular dynamic NAT—Best match.

So as you can see on the position number 3 it is a first match, witch will happend depending on if you configure first nat 1 or nat 2.

Hope this helps.

Do rate helpful posts!!

Julio