Solved: Translation Preference

kishore_b32 · ‎07-05-2006

Hi,

Want to know by what preference does translation in the Firewall takes place.

Static nat , nonat , PAT , policy nat...

r.sneekes · ‎07-05-2006

Order of NAT Commands Used to Match Real Addresses

The security appliance matches real addresses to NAT commands in the following order:

1. NAT exemption (nat 0 access-list)?In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.

2. Static NAT and Static PAT (regular and policy) (static)?In order, until the first match. Static identity NAT is included in this category.

3. Policy dynamic NAT (nat access-list)?In order, until the first match. Overlapping addresses are allowed.

4. Regular dynamic NAT (nat)?Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the security appliance.

Also see:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a00804522f6.html

Under the chapter applying nat.

View solution in original post

Fernando_Meza · ‎07-05-2006

Hi by experience .. I would say that static always takes precedence over no nat PAT and policy PAT. Now if there is a "conflict between PAT and nat0 I believe Nat0 will take precedence.

would be interesting to know what other guys have to say !!!

r.sneekes · ‎07-05-2006

Order of NAT Commands Used to Match Real Addresses

The security appliance matches real addresses to NAT commands in the following order:

1. NAT exemption (nat 0 access-list)?In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.

2. Static NAT and Static PAT (regular and policy) (static)?In order, until the first match. Static identity NAT is included in this category.

3. Policy dynamic NAT (nat access-list)?In order, until the first match. Overlapping addresses are allowed.

4. Regular dynamic NAT (nat)?Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the security appliance.

Also see:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a00804522f6.html

Under the chapter applying nat.