Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
525
Views
5
Helpful
2
Replies

Order of NAT

Go to solution
sushil
Level 1
Level 1

‎04-21-2011 04:25 AM - edited ‎03-11-2019 01:24 PM

Hi,

Wanted to know order of NAT from version 8.3 onwards.

Deocumentation says Section 1 Twice Nat

                                 Section 2 Network Object Nat

                                 Section 3 Twice Nat

By default twice nat falls in Section1 (Correct me if I am wrong). How come it also falls in Sections3 as well.Is it something like bypassing nat (more like Nat 0 of older versions) while configuring VPN?

Reg,

Sushil

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-21-2011 05:12 AM

Hi Sushil,

The order of NAT in 8.3 and above is:

1. Manual Nat

2. Auto NAT

3. After-Auto

After auto, are Manual Nat's with the "after-auto" keyword in them. These are processed after Manual nat rules without that keyword, and auto nat.

syntax: nat (intf1,intf2) after-auto ....

An ideal scenario, where you would use this would be:

All statics configured using Auto NAT.

For some reason, interface pat for internet is to be done using manual nat.

If you use the class 1 manual nat, then it will break all the auto nat static forwards. Hence, you add after-auto, so that it is processed only after the statics are checked.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

View solution in original post

2 Replies 2

Go to solution
Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-21-2011 05:12 AM

Hi Sushil,

The order of NAT in 8.3 and above is:

1. Manual Nat

2. Auto NAT

3. After-Auto

After auto, are Manual Nat's with the "after-auto" keyword in them. These are processed after Manual nat rules without that keyword, and auto nat.

syntax: nat (intf1,intf2) after-auto ....

An ideal scenario, where you would use this would be:

All statics configured using Auto NAT.

For some reason, interface pat for internet is to be done using manual nat.

If you use the class 1 manual nat, then it will break all the auto nat static forwards. Hence, you add after-auto, so that it is processed only after the statics are checked.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

Go to solution
sushil
Level 1
Level 1
In response to Shrikant Sundaresh

‎04-21-2011 05:38 AM

Ultimate discription Shrikant.Thanks a ton.

Reg,

Sushil

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card