Showing results for 
Search instead for 
Did you mean: 

ASA 8.4 NAT order question

Level 1
Level 1

In pre-8.3, NAT had a group number to match nat to global.

How do I do this in 8.4?  I need a default pat (, but I also have specific pat for certain subnets.  How do I keep them from overlapping?  Will it check more specific nat statements first before it gets to more generic any any or



1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni


Generally you should consider the following things with regarding NAT in 8.3 and newer software

  • NAT is broken into 3 sections on the ASA
    • Section 1 consists of Twice NAT configurations (also called Manual NAT)
    • Section 2 consists of NAT configurations configured under "object network"
    • Section 3 consists of Twice NAT (also called Manual NAT) configurations that have been moved to the last section with the parameter "after-auto" (configured right after the source and destination interface)
  • NAT has "line numbers" just like ACLs for Section 1 and Section 3 NAT configurations 
    • Adding a new Twice NAT rule with a line number (right after source,destination interface) will move the existing rule and any after that 1 line number down. Without line number its added at the bottom (and might not apply)
  • NAT configured with "object network" doesnt not use "line numbers". Instead their use is based on how specific the rule is and the decision of the ASA what rule to use might be even as specific as the the alphabetic order of the "object network" names is

I suggest reading the following section of the Configuration Guide for your software. (And any related sections). They give some nice addiotional information about the NAT operations

Now lets take this example situation

  • You have alot of networks that fall into the whole network
  • You want to give own NAT rules for some 10.x.x.x/yy subnets

The "catch all" Default PAT rule

object-group network DEFAULT-PAT-SOURCE


nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface


  • DEFAULT-PAT-SOURCE = Is the "object-group" that defines the networks that are used for this PAT configurations
  • after-auto = Moves this NAT rule to the last Section 3 (as mentioned in the start of the post, it should be a default rule if nothing else is configured)
  • interface = Is the parameter that will define that the destination interface of the NAT (outside) is used as PAT address

Now if we want to create a more specific rule in the Section 3 we could do the following

object-group network SPECIAL-PAT-SOURCE


object network PAT-ADDRESS


nat (inside,outside) 1 after-auto source dynamic SPECIAL-PAT-SOURCE PAT-ADDRESS


  • SPECIAL-PAT-SOURCE = Again defines the source addresses/networks for the NAT/PAT
  • PAT-ADDRESS = Is used to define the new Public IP address since we can use the "interface" parameter (we want another IP address)
  • "1" = This is the crucial point. It moves the new NAT rule in Section 3 NAT rules to the top. Taking the place of the NAT configuration we configured first. Hence the new rule will be hit first and all remanining 10-networks will hit the default PAT rule that is now on line number "2" 
    • Notice that the line numbers dont show in the CLI format of the configuration when using "show run nat". They only show on the CLI with "show nat" which doesnt really give a clear output

Example show command output from my ASA

ASA(config)# sh run nat

  • No NAT rule numbering

nat (LAN,WAN) after-auto source dynamic LAN-NETWORK interface

nat (WLAN,WAN) after-auto source dynamic WLAN-NETWORK interface

ASA(config)# show nat

  • Order of NAT configurations mentioned (and also the Section number)

Manual NAT Policies (Section 3)

1 (LAN) to (WAN) source dynamic LAN-NETWORK interface

    translate_hits = 0, untranslate_hits = 0

2 (WLAN) to (WAN) source dynamic WLAN-NETWORK interface

    translate_hits = 0, untranslate_hits = 0

Hitcounts are 0 because I remotely reloaded the ASA earlier today and there are no hosts turned on behind it.

The above is not the only options naturally but its based on the way I configure NAT.

  • Section 1 (Manual NAT): Special NAT setups (VPN, possible partner DMZ connections etc)
  • Section 2 (Object NAT): Static NAT and Port Forward configurations (Static PAT)
  • Section 3 (Manual NAT): Default NAT/PAT rules for majority of the traffic through the ASA

Hopefully this answered your questions. Please rate or mark the question as answered if so. Naturally ask more if you need some clarifications or need to ask something more

- Jouni

Review Cisco Networking products for a $25 gift card