cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
650
Views
0
Helpful
1
Replies

Static NAT, Dynamic NAT and PAT

Hi All,

I have a question about order of NAtting among Static NAT, Dynamic NAT and PATting. If any IP is natted in ASA configuration with Static, dynamic NAT and PAT, then as we know packet would follow the order as below-

Static NAT-->Dynamic NAT -->PAT

Can anyone help me understand me why? Is it using some principle like "Principle of MAX match in routing"?

Regards,
Saurabh       

Regards, Saurabh
1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Unless I have missed some Cisco documentation, which certainly is possible, I think Cisco has only given the basic information how their firewalls order the NAT rules.

I would first suggest reading the appropriate Configuration Guide for your firewall software level and checking the section that has to do with the ordering of the NAT

Here is the section in 8.2 software Configuration Guide

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1079279

Here is the section in 8.4 software Configuration Guide (which has totally rewritten NAT format introduced in 8.3(1))

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1118157

If you want to further check out the new NAT format I would suggest my own document here on the forums

https://supportforums.cisco.com/docs/DOC-31116

Generally the Cisco firewall NAT rule has been decided using both the ordering of the configuration and the type of the NAT. Also when dealing with NAT configurations that all apply to the same source addresses and same NAT type the specific rule has usually been the one chosen. Though I have to say I have gotten a bit distanced from the 8.2 and pre configuration format and operation.

- Jouni

View solution in original post

1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Unless I have missed some Cisco documentation, which certainly is possible, I think Cisco has only given the basic information how their firewalls order the NAT rules.

I would first suggest reading the appropriate Configuration Guide for your firewall software level and checking the section that has to do with the ordering of the NAT

Here is the section in 8.2 software Configuration Guide

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1079279

Here is the section in 8.4 software Configuration Guide (which has totally rewritten NAT format introduced in 8.3(1))

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1118157

If you want to further check out the new NAT format I would suggest my own document here on the forums

https://supportforums.cisco.com/docs/DOC-31116

Generally the Cisco firewall NAT rule has been decided using both the ordering of the configuration and the type of the NAT. Also when dealing with NAT configurations that all apply to the same source addresses and same NAT type the specific rule has usually been the one chosen. Though I have to say I have gotten a bit distanced from the 8.2 and pre configuration format and operation.

- Jouni

Review Cisco Networking for a $25 gift card