Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
592
Views
0
Helpful
3
Replies

nat order and deny statements in acl's

david.buitendag
Level 1
Level 1

‎06-12-2007 10:09 PM - edited ‎03-11-2019 03:29 AM

I have recently upgraded an ASA from version 7.0 to 7.2.2. After the upgrade a number of nat statements had been removed. This was related to icmp specific acl's in the nat acl's. After resolving this, the nat statements were re-added at the end of the nat list. The problem is that the ASA seems to match nat 3 rather than nat 2 (which is now at the end of the list) . I have added a deny to the access-list for the specific traffic for nat3 however the ASA still seems to be matching the acl for nat3.

I have used deny statements in nat acl's before and haven't had a problem however this doesn't appear to be working.

The acl's for the nat statements are below.

access-list nat0-inside line 1 extended deny ip 172.18.0.0 255.255.0.0 161.143.48.0 255.255.255.0

access-list nat3-inside line 1 extended deny ip 172.18.0.0 255.255.0.0 161.143.48.0 255.255.255.0

ess-list nat2-inside line 1 extended permit ip 172.18.0.0 255.255.0.0 161.143.48.0 255.255.255.0

Output for the packet-tracer is below.

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 0 access-list nat0-inside

nat (inside) 3 access-list nat3-inside

match ip inside 172.18.0.0 255.255.0.0 outside 161.143.48.0 255.255.255.0

dynamic translation to pool 3 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Any assistance would be apprecitated!

Labels:
0 Helpful
3 Replies 3

jaffer_sathik2010
Level 1
Level 1

‎06-13-2007 04:45 AM

Hi,

You have created 3 access-lists with different names so confusion in the ordering!!! (Each acl has only one entry).

Regarding nat,it will be processed one after one from top to bottom.

[If you are using both static nat and dynamic nat ,static nat will take the priority].

In your senario,since you have attched Acl-3 with nat3, acl-2 will not come into play anymore.

So,remove the following command,

nat(inside)3 access-list nat3-inside

Add the following one.

nat(inside)3 access-list nat2-inside.

[Just changed the access-list]

Hope it helps.

--Jaffer

0 Helpful

acomiskey
Level 10
Level 10

‎06-13-2007 04:45 AM

There isn't a nat command in your config which references nat2. The one in your config references nat3 which is why it is matching it.

0 Helpful

david.buitendag
Level 1
Level 1
In response to acomiskey

‎06-13-2007 02:33 PM

Thanks for your replies. I do have a global for the nat 2, I just didn't post it. I only posted the config relevent to the subject.

The nat 2 statement comes after the nat 3 statement as it was removed from the config after the upgrade. I was just enquiring if anyone has had any problems using a deny in the acl's for the nat statements and if a deny in the acl's would ignore the specific traffic for NAT? BUt not to worry... I will simply remove the current NAT statements and put them back in the same order that they were prior to the upgrade.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card