Solved: Policy NAT order

Michal Valach · ‎11-12-2013

Hello,

I would like to ask about which global nat will take place for: 10.90.3.1 which is accessing 333.333.333.333 ?

nat (inside) 1 access-list cust1

global (outside) 1 111.111.111.111

nat (inside) 2 access-list cust2

global (outside) 2 222.222.222.222

access-list cust1 extended permit ip 10.90.0.0 255.255.0.0 any

access-list cust2 extended permit ip 10.90.0.0 255.255.0.0 host 333.333.333.333

Jouni Forss · ‎11-12-2013

Hi,

They should be applied in the order they are configured. I am not sure if the ID number of the NAT had any effect to it.

Unless this NAT configurations is from an old PIX then you should be able to use the "packet-tracer" command to confirm which Dynamic Policy PAT rule is matched

packet-tracer input inside tcp 10.90.3.1 12345 333.333.333.333 80

Naturally replace the 333.333.333.333 with the correct destination IP address

- Jouni

View solution in original post

Jouni Forss · ‎11-12-2013

Hi,

They should be applied in the order they are configured. I am not sure if the ID number of the NAT had any effect to it.

Unless this NAT configurations is from an old PIX then you should be able to use the "packet-tracer" command to confirm which Dynamic Policy PAT rule is matched

packet-tracer input inside tcp 10.90.3.1 12345 333.333.333.333 80

Naturally replace the 333.333.333.333 with the correct destination IP address

- Jouni

Michal Valach · ‎11-13-2013

Yes it is applied in the order I configured. Thx