Solved: ASA 5510 NAT or rules first?

jhonny.eriksson · ‎12-07-2012

Hello,

Quick question; How does the Cisco ASA 5510 operate on an incomming traffic flow? Does it apply the source NAT first and then match rules according to the translated address? Or does it match rules according to the original source and then apply NAT just before forwarding the packets?

Thanks, Best Regards

Jhonny Eriksson

Harish Balakrishnan · ‎12-07-2012

Hello Jhonny,

Before 8.3 OS,policy(ACL) was first and if policy is success then it hits for the NAT rule.

but from 8.3 onwards, the order of operation has been changed .. now NAT rule is first and then policy comes in picture.. that is the reason post 8.3 versions , the outside ACL should have the real IP address in the match entry.

Hope this helps

Harish.

View solution in original post

Harish Balakrishnan · ‎12-07-2012

Hello Jhonny,

Before 8.3 OS,policy(ACL) was first and if policy is success then it hits for the NAT rule.

but from 8.3 onwards, the order of operation has been changed .. now NAT rule is first and then policy comes in picture.. that is the reason post 8.3 versions , the outside ACL should have the real IP address in the match entry.

Hope this helps

Harish.

Mariusz Bochen · ‎12-07-2012

Good thing to do is a packet-tracer test and see the exact detail order.