Is NAT ID having any Priority in Cisco ASA ?

Ganesan Palaniappan · ‎10-19-2012

Hi All,

Just to clairfy my long time doubt in Cisco ASA Firewall.

For Example :

nat(inside) 10 access-list test10

nat(inside) 20 access-list test20

global(outside) 10 interface

global(outside-new) 20 interface.

Suppose if i have a ACL which is being entered on both the nat ACL and i have default route towards the "outside" interface and destination based static route towards the Outside-new interface.

Now if i am trying to access that destination from my end PC .. i am unable to do ...If i removing any of the ACL from any of the NAT it is working..So what's the principle over here....

There is no NAT ID Priority preferences ..like 10,20 ...etc..

Please clarify my doubt.

Regards,

GanAlagu07

Jennifer Halim · ‎10-19-2012

The more specific NAT statement will have higher preference than the less specific one.

If you have ACL that says:

access-list test10 permit ip host 10.1.1.1 host 200.1.1.1

access-list test20 permit ip 10.1.1.0 255.255.255.0 host 200.1.1.1

nat (inside) 10 access-list test10

nat (inside) 20 access-list test20

ACL test10 NAT statement will be matched.

Ganesan Palaniappan · ‎10-19-2012

Hi,

If i have same type of ACL ie... intact source and destination address.....

Regards,

Gan

saurabhgoel169 · ‎10-19-2012

Hi Ganeshan,

In that case if the traffic mathes with first access-list then it will pass with that....

Access-list follows the top to bottom order....

Jennifer Halim · ‎10-19-2012

Pls kindly be advised that it is not recommended to use overlapping networks in the NAT access-list (in your example, exactly the same ACL is strongly not recommended at all).

Here is the NAT order of operation for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1079279

Hope that helps.