Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
262
Views
5
Helpful
2
Replies

ASA Nat command

Cisco Freak
Level 4
Level 4

‎12-14-2015 09:21 PM - edited ‎03-12-2019 12:02 AM

Hello,

I am a newbie to the Cisco ASA world. So I am finding it difficult to understand certain configuration especially the ones configured in older versions.

Can you please help me to understand the meaning of these commands:

global (outside) 13 interface
nat (inside) 0 access-list 10  --> My assumption is ACL 10 entries are exempted from NATing since its in Nat rule position 0
nat (inside) 13 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list 12 --> My assumption is ACL 12 entries are exempted from NATing since its in Nat rule position 0

My assumption about the other two statements is they are connected each other(They both share rule position 13). So any IP that hits the internal interface will be NATed with the interface IP of external interface. Am I right?

CF

Labels:
0 Helpful
2 Replies 2

Maykol Rojas
Cisco Employee
Cisco Employee

‎12-14-2015 09:55 PM

Short answer, yes. you are correct. 

ACL 12 can have a source/dest and from that source/des comming from the DMZ interface the traffic is not going to be natted. 

Same logic for the other one. 

There are some rules in regards to the order of operation. Nat0 IS only beaten if there is an existing NAT session going on (existing xlate), the rest of the order goes as follows 

Existing Xlate (sh xlate) 

Nat0 

Static NAT -----First match on the list (sh run static) 

Static PAT (port forward)---First match on the list (sh run static) 

Regular NAT (Nat and global commands)----Best match (most specific) 

Cheers 

Mike. 

Mike

Akshay Rastogi
Cisco Employee
Cisco Employee

‎12-16-2015 03:09 AM

Hi CF,

Little correction to what Mike has mentioned. There are two kind of nat which are used wit nat(...) 0. When you see  nat 0 with access-list, then it is called 'nat exempt' for which there is no xlate created on ASA and it has the highest preference in the nat order.

Another flavor is when you have nat 0 without an access-list which is called as 'identity nat'. This identity means nat to itself. For this nat, xlate entry is created . Please use the link below to understand the same :

https://learningnetwork.cisco.com/thread/22575

Rest of the your understanding is correct as you have explained for dynamic nat.

Hope it helps.

Regards.

Akshay Rastogi

Remember to rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card