12-30-2010 10:33 PM - edited 03-11-2019 12:29 PM
Hi,
I m aware of NAT order of operation but what would be order of operation within the same type of NAT ( e.g. Static policy NAT) e.g
access-list nat-me permit ip host 192.168.10.1 host 10.0.10.1
access-list nat-you permit ip host 192.168.20.1 host 10.0.20.1
static (inside,dmz) 172.16.10.1 access-list nat-me >> First line as appearing in the config
static (inside,dmz) 172.16.20.1 access-list nat-you >> Second line appearing in the config
Would it prefer to NAT with placement of STATIC NAT statments in config..?? If yes, Is there any way to insert a NAT statetement on top of the all STATIC NAT without using "no statement " of rules and pasting it again following the new NAT statement.
Will it invite any downtime during such configuration or any suggetion would be helpful
TIA
Hitesh
12-31-2010 06:27 AM
Hitesh,
You mean to say you need to insert static 1-1 NAT in place of this static policy nat?
Just copy and paste all the lines on notepad (the ones to be removed and the ones that need to be added) and paste them one shot.
Existing connections will not be affected and it only takes a few seconds before the new lines get into the config so, any new connections that come in in those split seconds will be affected which I think will be negligible.
ASDM has an option to insert line (under NAT). Though you may insert the new line before the existing ones, once pushed to device the new line is the last one added. Meaning there is no line number like the acl to add one line above all existing lines without removing the ones that are alerady there.
-KS
01-02-2011 10:56 PM
Hi Sankar,
Apologies for not explaining the scenario, You got me half correct, Actually the case is as below.. Suppose the existing configuration is as below on the ASA. Now there is a host 192.168.20.20 which is communicating to 10.0.20.20 so it will check the NAT Statements and according to the second NAT statement, the source will get NAT to 172.16.20.1.
access-list nat-me permit ip host 192.168.10.1 host 10.0.10.1
access-list nat-you permit ip 192.168.20.0 255.255.255.0 10.0.20.0 255.255.255.0
static (inside,dmz) 172.16.10.1 access-list nat-me >> First line as appearing in the config
static (inside,dmz) 172.16.20.1 access-list nat-you >> Second line appearing in the config
Now I want to have this host 192.168.20.20 to get NAT with different IP e.g. 172.16.20.20 and rest of all to NAT to follow the "Nat-you" ACL. Than the new NAT statement would be appended below the existing NAT statements
access-list nat-me permit ip host 192.168.10.1 host 10.0.10.1
access-list nat-you permit ip 192.168.20.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list nat-1 permit ip host 192.168.20.20 host 10.0.20.0
static (inside,dmz) 172.16.10.1 access-list nat-me >> First line as appearing in the config
static (inside,dmz) 172.16.20.1 access-list nat-you >> Second line appearing in the config
static (inside,dmz) 172.16.20.20 access-list nat-1 >> Third line apperaring in the config
So it seems to me that as per the NAT statements the traffic from 192.168.20.20 to 10.0.20.20 will not get NAT to 172.16.20.20 as it getting matched by the upper NAT statement.
Correct me if I m wrong.... and if its right.. do we have any workaround for this situation?
Thanks in Advance
Hitesh
01-02-2011 11:03 PM
Hi,
a workaroutnd would be :
access-list nat-you deny ip host 192.168.20.20 10.0.20.0 255.255.255.0
access-list nat-you permit ip 192.168.20.0 255.255.255.0 10.0.20.0 255.255.255.0
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide