05-11-2009 04:38 AM - edited 03-11-2019 08:29 AM
Are NAT statements on the PIX processed in order of NAT ID?
05-11-2009 05:30 AM
Please see this thread for details -
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=Security&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cd280da/0#selected_message
Jon
05-21-2009 06:14 AM
The security appliance matches real addresses to NAT commands in the following order:
1. NAT exemption (nat 0 access-list)-In order, until the first match. Identity NAT is not included in
this category; it is included in the regular static NAT or regular NAT category.We do not recommend
overlapping addresses in NAT exemption statements because unexpected results can occur.
2. Static NAT and Static PAT (regular and policy) (static)-In order, until the first match. Static
identity NAT is included in this category.
3. Policy dynamic NAT (nat access-list)-In order, until the first match. Overlapping addresses are
allowed.
4. Regular dynamic NAT (nat)-Best match. Regular identity NAT is included in this category. The
order of the NAT commands does not matter; the NAT statement that best matches the real address
is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an
interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you
can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific
statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using
overlapping statements; they use more memory and can slow the performance of the security
appliance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide