Thanks Julio,

The statements above are the order it appears in the config, which is the same as the "show run nat".  So...

show run nat

nat (inside) 1 access-list ACL1

nat (inside) 4 access-list ACL4

nat (inside) 3 access-list ACL3

Notice the order of 3 and 4.

So what you're saying is the order the statements appear in the config is what determines what is matched first (which seems to be what's happening).  So ACL1, *ACL4* then ACL3 (the order in the config)?  As opposed to ACL1, ACL3 then ACL4 (numberical order of the identifier within the NAT statement).

The config is kinda sanitized, so other info might not make sense.  But basically the packet-tracer is saying ACL4 is matching.  And technically, ACL4 *does* match, so it unfortunately never reaches ACL3.

Now, I know the fix to this.  Just delete nat statement 4 and re-add it.  But nat statement 4 is super critical to operations.  And I wanted confirmation that my thought process was correct, and that there isn't an easier way to re-order the nat statements in the running config besides deleting them (and causing a temporary outage) and re-adding.

Know what I mean?

Hello,

That is correct, the ASA has a order to follow talking about NAT

The ASA matches real addresses to NAT rules in the following order:

1. NAT exemption—In order, until the first match.

2. Static NAT and Static PAT (regular and policy)—In order, until the first match. Static identity NAT

is included in this category.

3. Policy dynamic NAT—In order, until the first match. Overlapping addresses are allowed.

4. Regular dynamic NAT—Best match.

So as you can see on the position number 3 it is a first match, witch will happend depending on if you configure first nat 1 or nat 2.

Hope this helps.

Do rate helpful posts!!

Julio