Solved: Moving Manual NAT to section 3 (after auto nat)

mahesh18 · ‎08-05-2013

Hi All,

We have 3 sections of NAT

1>Manual NAT

2>Auto NAT

3>Manual NAt after Auto.

Lets say on ASA we config Manual and Auto Nat.

Now Order of NAT is

1>Manual

2>Auto

If i move the Manual NAT to section 3 of NAT which is Manual NAT after auto NAT.

Now Order of NAT is

2>Auto

3>Manual NAT after Auto.

Now when i try to do Process Manual NATafter auto section number 3 it does not work as it hits Auto NAt and does not go down.

Need to know the reason behind this?

Regards

MAhesh

Jouni Forss · ‎08-05-2013

Hi Mahesh,

Essentially the main order of the NAT is this

Manual NAT (Section 1)
Auto NAT (Section 2)
Manual NAT (Section 3)

When for example traffic from your LAN comes to the ASA the ASA will go through your NAT conrfigurations in order from Section 1 to Section 2 to Section 3 UNTIL a match is found for the connection according to its source/destination IP/port.

So what your are seeing is that you have atleast 2 NAT rules that match the same connection attempt and after you move a Section 1 Manual NAT to Section 3 Manual NAT that means that some NAT configuration/rule in Section 2 is now probably matching the traffic and therefore the Section 3 Manual NAT is not matched anymore. This is simply because of the above mentioned ordering/priority of the NAT rules/configurations.

- Jouni

View solution in original post

Jouni Forss · ‎08-05-2013

Also as a little side note,

There is also difference in the ordering of the NAT configurations depending on the Section

Section 1 and Section 3 Manual NAT rules are always gone through in the order you see them in the actual CLI configuration. So you might have 2 completely working rules BUT if they are in the wrong order it might be that other one of them is never used
Section 2 Auto NAT rules are processed in an order that you dont usually decide yourself. The ASA puts them in order according to how they were configured.

So in a nutshell. You can manually set the order of the Manual NAT rules but Auto NAT rules are ordered automatically by the ASA itself.

You can see the current order of the Auto NAT rules with the command

show nat

- Jouni

View solution in original post

Jouni Forss · ‎08-05-2013

Hi Mahesh,

Essentially the main order of the NAT is this

Manual NAT (Section 1)
Auto NAT (Section 2)
Manual NAT (Section 3)

When for example traffic from your LAN comes to the ASA the ASA will go through your NAT conrfigurations in order from Section 1 to Section 2 to Section 3 UNTIL a match is found for the connection according to its source/destination IP/port.

So what your are seeing is that you have atleast 2 NAT rules that match the same connection attempt and after you move a Section 1 Manual NAT to Section 3 Manual NAT that means that some NAT configuration/rule in Section 2 is now probably matching the traffic and therefore the Section 3 Manual NAT is not matched anymore. This is simply because of the above mentioned ordering/priority of the NAT rules/configurations.

- Jouni

mahesh18 · ‎08-05-2013

Thanks Jouni

I got it now

Best reagrds

MAhesh

Jouni Forss · ‎08-05-2013

Also as a little side note,

There is also difference in the ordering of the NAT configurations depending on the Section

Section 1 and Section 3 Manual NAT rules are always gone through in the order you see them in the actual CLI configuration. So you might have 2 completely working rules BUT if they are in the wrong order it might be that other one of them is never used
Section 2 Auto NAT rules are processed in an order that you dont usually decide yourself. The ASA puts them in order according to how they were configured.

So in a nutshell. You can manually set the order of the Manual NAT rules but Auto NAT rules are ordered automatically by the ASA itself.

You can see the current order of the Auto NAT rules with the command

show nat

- Jouni