03-26-2009 07:04 AM - edited 03-11-2019 08:10 AM
All,
I have nat 0 ACL stating an ip address should not be natted, while a static nat statement saying it should be natted. Just want to know which one will take precedence.
Thanks,
Solved! Go to Solution.
03-26-2009 07:20 AM
nat 0 ACL will take precedence,
Here is the nat order of operation
1)NAT exemption- When multiple NAT types/rules are set up, the security appliance tries to match traffic against the ACL in the NAT exemption rules. If there are overlapping entries in the ACL, the security appliance analyzes the ACEs until a match is found.
2)Static NAT- If there is no match found in the NAT exemption rules, the security appliance analyzes the static NAT entries in sequential order to determine a match.
3)Static PAT- If the security appliance does not find a match in NAT exemption or static NAT entries, it goes through the static PAT entries until it locates a match.
4)Policy NAT/PAT- The security appliance evaluates the policy NAT entries if it is still not able to find a match on the packet flow.
5)Identity NAT- The security appliance tries to find a match using the identity NAT statement, if one is set up to do so.
6)Dynamic NAT- If the security appliance fails to find a match using the first five rules, it checks to see if the packets need to be translated using dynamic NAT.
7)Dynamic PAT- The packets are checked against the dynamic PAT rules as the last resort, if all the previously mentioned rules fail.
03-26-2009 07:20 AM
nat 0 ACL will take precedence,
Here is the nat order of operation
1)NAT exemption- When multiple NAT types/rules are set up, the security appliance tries to match traffic against the ACL in the NAT exemption rules. If there are overlapping entries in the ACL, the security appliance analyzes the ACEs until a match is found.
2)Static NAT- If there is no match found in the NAT exemption rules, the security appliance analyzes the static NAT entries in sequential order to determine a match.
3)Static PAT- If the security appliance does not find a match in NAT exemption or static NAT entries, it goes through the static PAT entries until it locates a match.
4)Policy NAT/PAT- The security appliance evaluates the policy NAT entries if it is still not able to find a match on the packet flow.
5)Identity NAT- The security appliance tries to find a match using the identity NAT statement, if one is set up to do so.
6)Dynamic NAT- If the security appliance fails to find a match using the first five rules, it checks to see if the packets need to be translated using dynamic NAT.
7)Dynamic PAT- The packets are checked against the dynamic PAT rules as the last resort, if all the previously mentioned rules fail.
04-02-2009 01:27 PM
I have a policy NAT/PAT that I would like to take precedence over a static NAT.
How is this accomplished?
04-02-2009 06:40 PM
I don't think that's possible.
04-02-2009 07:17 PM
jschmied , you will have to convert your static nat statement into some sort of policy nat statement that takes a lower precedence.
04-08-2009 12:46 PM
Thanks to all for the help on this. I just wanted to let you know that the solution that worked for us was to change the policy NAT to a static NAT and then reorder the two static NAT statements to the order we wanted. Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide