cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


171
Views
0
Helpful
2
Replies
Highlighted
Beginner

Understanding ASA NAT Order

Hi Everyone

1. nat (inside,any) source static INSIDE INSIDE destination static SITE1 SITE1
2. nat (inside,twbc) source static INSIDE INSIDE destination static SITE2 SITE2
3. nat (inside,twbc) source static INSIDE INSIDE destination static SITE3 SITE3
4. nat (inside twbc) source static INSIDE INSIDE destination static SITE4 SITE4
5. nat (inside,mpls) source static INSIDE INSIDE destination static SITE4 SITE4
[...]

Referring to above entries.
Assuming ASA already hit entry 4, will it still process to read entry 5?.. and the rest of the nat entries?

Or will stop at entry 4 and doesn't read the rest of the entries
We're running asa991-smp-k8

 

Thanks,

Jon

2 REPLIES 2
VIP Advisor

Re: Understanding ASA NAT Order

Not sure what your requirement is but, looking at your ingress and egress interfaces on statements 4 and 5 they are different, yet source and destination IP are the same. If you want different NAT based on ingress and egress interface, you could also consider object NAT, but this gets treated at the bottom. 

Please remember to rate useful posts, by clicking on the stars below.

VIP Mentor

Re: Understanding ASA NAT Order

The answer to your question is that the processing of the NAT rules stop after finding a hit. But the answer to your problem is the keyword „route-lookup“ at the end of the NAT statement.