Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
952
Views
15
Helpful
7
Replies

Order of NAT

Go to solution
johnlloyd_13
Level 9
Level 9

‎05-18-2014 08:13 PM - edited ‎03-11-2019 09:12 PM

hi all,

sorry for being a noob, but would like to clarify/review the order of NAT on 8.3+. referring to doc below:

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

i'm going to configure NAT on an ASA and would like to know which order for NAT will inside users going to take first?

my goal is to use PAT-2 first and PAT-1 last. would this be the default behavior?

object network PAT-1
 subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic interface

object network PAT-2
 subnet 172.27.0.0 255.255.0.0
 nat (inside,outside) dynamic 116.212.x.y

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-18-2014 10:35 PM

yes, you are correct, based on the configuration above, PAT-2 will take precedence over PAT-1 because PAT-2 has a more specific subnet than PAT-1.

View solution in original post

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to johnlloyd_13

‎05-20-2014 01:41 AM

No, if you are going to use the outside interface IP Address, it needs to be static PAT, not static NAT.

Do you have a set of ports that needs to be opened for 172.27.252.210?

View solution in original post

7 Replies 7

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-18-2014 10:35 PM

yes, you are correct, based on the configuration above, PAT-2 will take precedence over PAT-1 because PAT-2 has a more specific subnet than PAT-1.

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Jennifer Halim

‎05-18-2014 11:47 PM

hi jennifer,

thanks for confirming!

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Jennifer Halim

‎05-19-2014 10:59 PM

hi jeniffer,

is this NAT config valid?

i want to use static NAT to the outside public IP.

or should i put the mapped/global IP instead of the keyword 'interface'?

object network VTC_NCB
 host 172.27.252.210
 nat (inside,outside) static interface

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to johnlloyd_13

‎05-19-2014 11:36 PM

If you would like to configure static NAT using the "outside public IP" instead of spare public IP, best practice is to configure static PAT, instead of static NAT because IP Address assigned to ASA outside interface is also needed for VPN termination (if configured), failover, etc.

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Jennifer Halim

‎05-20-2014 01:12 AM

ok so the IP configured on the 'outside' interface is 116.212.1.2

object network VTC_NCB
 host 172.27.252.210
 nat (inside,outside) static 116.212.1.2

 

this IP/interface is also used for dynamic PAT:

object network PAT-2
 subnet 172.27.0.0 255.255.0.0
 nat (inside,outside) dynamic interface

 

will the two NAT config work concurrently?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to johnlloyd_13

‎05-20-2014 01:41 AM

No, if you are going to use the outside interface IP Address, it needs to be static PAT, not static NAT.

Do you have a set of ports that needs to be opened for 172.27.252.210?

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Jennifer Halim

‎05-20-2014 07:56 PM

hi jennifer,

i think i got it. will assign a dedicated spare public IP for static NAT for 172.27.252.210.

i thought this could be the same case as in IOS routers.

0 Helpful
Review Cisco Networking for a $25 gift card
Top