Solved: ASA 5505 automatic nat, order of operation

dm · ‎02-21-2017

Hello!

If I have in ASA 5505 (9.1.7) config:

object network obj-192.168.29.7
nat (inside,outside) static 1.1.1.1 service tcp 1194 1194

and

object network obj-192.168.29.2
nat (inside,outside) static 1.1.1.1

in any order , then ASA alsways choose last translation, i.e. nat (inside,outside) static 1.1.1.1 service tcp 1194 1194 is ignored.

Could you tell me why and is there any way to fix this?

Thank you!

Rahul Govindan · ‎02-21-2017

The NAT rule of operation i given here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#31590

Both the above rules are Object NAT static rules. According to the condition b, the rule for 192.168.29.2 is always matched first as it is smaller that 192.168.29.7.

One workaround for this is to create the same object NAT rule under the Twice NAT section so that it gets processed before the Object NAT statements.

View solution in original post

Rahul Govindan · ‎02-21-2017

The NAT rule of operation i given here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#31590

Both the above rules are Object NAT static rules. According to the condition b, the rule for 192.168.29.2 is always matched first as it is smaller that 192.168.29.7.

One workaround for this is to create the same object NAT rule under the Twice NAT section so that it gets processed before the Object NAT statements.

dm · ‎02-21-2017

Thank you!

I have question about Twice NAT here

https://supportforums.cisco.com/discussion/13230636/asa-5505-static-port-forwarding

Could you , please, answer to it too?

Thank you!