Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1278
Views
0
Helpful
1
Replies

Changing priority of Static NAT over NAT exempt rule

jon.seung@applecaremedical.com
Level 1
Level 1

‎11-15-2017 01:02 PM - edited ‎02-21-2020 06:45 AM

Hello,

 

Suppose we have two NAT rules under 'NAT Rules';

 

#    Type          Original (Source)     Original (Destination)        Interface (Translated)     Address(Translated)

1    Exempt      ANY                        ANY                                 Outbound
2    Static        Web_internal           ANY                                  Outside (Web_external)

Firewall accept inbound access to the external IP address (Statically NATed) of Web_external however I'm seeing asymmetric routing issue on ASA log.

 

Asymmetric NAT rules matched for forward and reverse flows- denied due to NAT reverse path failure.

 

I see NAT exemption rule (#1) is overwritting statc NAT for the outbound.
Is there any way we could put the highest priority on Static NAT over NAT exemption rule?

There is up/down arrow for both NAT exemption and static rule but static rule can not go above the NAT exemption rule.

 

 

 

 

Labels:
0 Helpful
1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

‎11-15-2017 07:55 PM

Hi

Here an explain on how may is processed on asa:
https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

Can you share your config and give us the source ip and destination ip? With that information we'll be able to help you.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card