https://community.cisco.com/t5/network-security/nat-precedence/m-p/864960#M957824 <P>When you have two nat </P><P>1)nat (xxxx) 1 access-list xxxx</P><P>GLOBAL (yyyy) 1 193.243.64.227 </P><P>access-list xxxx permit ip host 10.80.133.1 any</P><P>2)nat (xxxx)0 0.0.0.0 0.0.0.0</P><P>access-list xxxx permit ip host 10.80.133.1 any</P><P></P><P>whcih will taker precedence?</P><P></P><P></P><P> </P><P></P> Wed, 13 Mar 2019 00:56:04 GMT aksher 2019-03-13T00:56:04Z https://community.cisco.com/t5/network-security/nat-precedence/m-p/864960#M957824 <P>When you have two nat </P><P>1)nat (xxxx) 1 access-list xxxx</P><P>GLOBAL (yyyy) 1 193.243.64.227 </P><P>access-list xxxx permit ip host 10.80.133.1 any</P><P>2)nat (xxxx)0 0.0.0.0 0.0.0.0</P><P>access-list xxxx permit ip host 10.80.133.1 any</P><P></P><P>whcih will taker precedence?</P><P></P><P></P><P> </P><P></P> Wed, 13 Mar 2019 00:56:04 GMT https://community.cisco.com/t5/network-security/nat-precedence/m-p/864960#M957824 aksher 2019-03-13T00:56:04Z https://community.cisco.com/t5/network-security/nat-precedence/m-p/864961#M957825 <HTML><HEAD></HEAD><BODY><P>Hi Aksher</P><P> You have never rated the useful posts of experts here. Please rate useful. You have NEVER! rated. Please show respect. Rating a post does not cost any fee.</P><P></P><P>Regards</P></BODY></HTML> Wed, 02 Jan 2008 03:15:39 GMT https://community.cisco.com/t5/network-security/nat-precedence/m-p/864961#M957825 Alan Huseyin Kayahan 2008-01-02T03:15:39Z https://community.cisco.com/t5/network-security/nat-precedence/m-p/864962#M957826 <HTML><HEAD></HEAD><BODY><P>Agree.. we are all always in the look to help out others, in return it is good to use the rating system which in fact helps netpros to improve even more in assisting others.</P></BODY></HTML> Wed, 02 Jan 2008 05:16:15 GMT https://community.cisco.com/t5/network-security/nat-precedence/m-p/864962#M957826 JORGE RODRIGUEZ 2008-01-02T05:16:15Z https://community.cisco.com/t5/network-security/nat-precedence/m-p/864963#M957827 <HTML><HEAD></HEAD><BODY><P>Aksher,</P><P></P><P>Here is the order of operations for NAT on the firewall:</P><P></P><P>1. nat 0 access-list (nat-exempt)</P><P>2. Match existing xlates</P><P>3. Match static commands</P><P> a. Static NAT with and without access-list</P><P> b. Static PAT with and without access-list</P><P>4. Match nat commands</P><P> a. nat [id] access-list (first match)</P><P> b. nat [id] [address] [mask] (best match)</P><P> i. If the ID is 0, create an identity xlate</P><P> ii. Use global pool for dynamic NAT</P><P> iii. Use global pool for dynamic PAT</P><P></P><P>Be aware that in your second example, you are not referencing the ACL listed directly below it. The space inside the parenthesis is used to reference an interface. (2 would fall in to the OoO 4bi and 1) would fall in to the OoO 4a</P><P></P><P>Thanks,</P><P>-=Blayne</P></BODY></HTML> Wed, 02 Jan 2008 05:46:10 GMT https://community.cisco.com/t5/network-security/nat-precedence/m-p/864963#M957827 Christopher Dreier 2008-01-02T05:46:10Z https://community.cisco.com/t5/network-security/nat-precedence/m-p/864964#M957828 <HTML><HEAD></HEAD><BODY><P>In 2, when you say "Match existing xlates" does it mean the existing xlates pertaining to 1</P></BODY></HTML> Wed, 02 Jan 2008 06:40:01 GMT https://community.cisco.com/t5/network-security/nat-precedence/m-p/864964#M957828 aksher 2008-01-02T06:40:01Z https://community.cisco.com/t5/network-security/nat-precedence/m-p/864965#M957829 <HTML><HEAD></HEAD><BODY><P>It means any existing xlate currently in the xlate table.</P><P></P><P>eg.</P><P></P><P>You have the following command in your config:</P><P>static (inside,outside) 87.45.29.48 192.168.1.1 netmask 255.255.255.255</P><P></P><P>You build an xlate with this static. You then experience traffic that would use this same static, but you didn't check the xlate table. - Problem!</P><P></P><P>So you should always check to see if an xlate exists in the table before attempting to create a translation based on a NAT rule.</P></BODY></HTML> Wed, 02 Jan 2008 14:16:27 GMT https://community.cisco.com/t5/network-security/nat-precedence/m-p/864965#M957829 Christopher Dreier 2008-01-02T14:16:27Z