cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
522
Views
0
Helpful
2
Replies

Understanding ASA NAT Order

Jon Eyes
Level 1
Level 1

Hi Everyone

1. nat (inside,any) source static INSIDE INSIDE destination static SITE1 SITE1
2. nat (inside,twbc) source static INSIDE INSIDE destination static SITE2 SITE2
3. nat (inside,twbc) source static INSIDE INSIDE destination static SITE3 SITE3
4. nat (inside twbc) source static INSIDE INSIDE destination static SITE4 SITE4
5. nat (inside,mpls) source static INSIDE INSIDE destination static SITE4 SITE4
[...]

Referring to above entries.
Assuming ASA already hit entry 4, will it still process to read entry 5?.. and the rest of the nat entries?

Or will stop at entry 4 and doesn't read the rest of the entries
We're running asa991-smp-k8

 

Thanks,

Jon

2 Replies 2

Dennis Mink
VIP Alumni
VIP Alumni

Not sure what your requirement is but, looking at your ingress and egress interfaces on statements 4 and 5 they are different, yet source and destination IP are the same. If you want different NAT based on ingress and egress interface, you could also consider object NAT, but this gets treated at the bottom. 

Please remember to rate useful posts, by clicking on the stars below.

The answer to your question is that the processing of the NAT rules stop after finding a hit. But the answer to your problem is the keyword „route-lookup“ at the end of the NAT statement.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: