NAT in ASA

negithecool · ‎02-01-2017

Hello,

I am running ASA 8.4 and will be grateful is someone can resolve my concern.

I performed below steps

1.Manual NAT

nat (inside,outside) source dynamic local global

object network local
subnet 8.8.8.0 255.255.255.0
object network global
range 192.168.20.2 192.168.20.4

2. Auto NAT

object network local

subnet 8.8.8.0 255.255.255.0
nat (inside,outside) dynamic global

ciscoasa(config)# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic local global
translate_hits = 4, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic local global
translate_hits = 0, untranslate_hits = 0

At this stage is it possible to change NAT order through CLI and put auto nat before manual nat ?? without deleting any nat rule.

I tried to run below command to change the NAT order but i am getting the same output as before and Manual NAT is above Auto NAT.

nat (inside,outside) after-auto source dynamic local global

Marius Gunnerud · ‎02-02-2017

At this stage is it possible to change NAT order through CLI and put auto nat before manual nat ?? without deleting any nat rule.

no this is not possible. Auto NAT rules cannot be placed in the Manual NAT section. You will need to recreate the rule in manual NAT. Placing a NAT rule in after-auto manual NAT will cause those manual NAT rules to be matched after the Auto-NAT rules have been matched. So, if you have any rule in Auto NAT that will match the traffic then you will never match your rule in Auto NAT.

What are you trying to achieve?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

negithecool · ‎02-02-2017

Hello Marius,

Thanks for the reply.

I have configured both Manual and Auto statement.

ciscoasa# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic local global
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic local interface
translate_hits = 0, untranslate_hits = 0

ciscoasa#

I configured below statement to put Auto rule before manual rule but NAT rule order didn't changed.

nat (inside,outside) after-auto source dynamic local global

When I deleted the manual nat rule and once again configured below statement then Auto rule was before manual rule

nat (inside,outside) after-auto source dynamic local global

ciscoasa(config)# sh nat

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic local interface
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic local global
translate_hits = 0, untranslate_hits = 0
ciscoasa(config)#

I need to know whether we cannot change the NAT order with in existing configuration ??

it's seem like that to place Auto nat before Manula that we need to delete the Manual nat and reconfigure it ?? Am i right

I am just to know this from learning prospective.