Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1372
Views
5
Helpful
2
Replies

NAT,Static precedence

aksher
Level 1
Level 1

‎11-23-2006 12:36 AM - edited ‎03-11-2019 01:59 AM

When NAT and Static sts. are there Static will take precedence say for ex. if the traffic is from same host and outbound. in this case will it work for outbound access using sTATIC if NAT is removed

Labels:
0 Helpful
2 Replies 2

zubairjalal
Level 1
Level 1

‎11-23-2006 03:04 AM

if you have a host falling under a self static statement as well as under a global NAT statement, the Static NAT statement will take precedence.

Order of NAT Commands Used to Match Local Addresses

The firewall matches local traffic to NAT commands in the following order:

1. nat 0 access-list (NAT exemption)?In order, until the first match. For example, you could have overlapping local/destination addresses in multiple nat commands, but only the first command is matched.

2. static (static NAT)?In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.

3. static {tcp | udp} (static PAT)?In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.

4. nat nat_id access-list (policy NAT)?In order, until the first match. For example, you could have overlapping local/destination ports and addresses in multiple nat commands, but only the first command is matched.

5. nat (regular NAT)?Best match. The order of the NAT commands does not matter. The nat statement that best matches the local traffic is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you also create a statement to translate only 10.1.1.1, when 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the local traffic best.

--Pls rate if useful--

a.kiprawih
Level 7
Level 7

‎11-23-2006 07:36 PM

Yes, it will work.

Example, if initially you used NAT/global pair to allow the internal host to go out to internet, then you changed it to static NAT i.e, "static (inside,outside) netmask 255.255.255.255", this should work.

But since you statically map it to a Public IP, be extra careful with Outside ACL that might open unnecessary ports for outsider to come into your server.

HTH

AK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card