Solved: Re: nat id order of priority

insomniacgames_nc · ‎05-15-2009

If I have multiple Nat's for the same interface, will they be matched in order by the lowest nat-id first (other than 0)

Collin Clark · ‎05-15-2009

It will, but not because of nat-id order (I believe), it will because access list 2 is a longer match.

View solution in original post

Collin Clark · ‎05-15-2009

Here's a link that should help-

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

insomniacgames_nc · ‎05-15-2009

That list doesn't show the order of multiple nats.

I have:

nat (inside) 2 access-list list_1

nat (inside) 3 access-list list_2

access-list list_2 extended permit ip 10.100.0.0 255.255.0.0 host 65.1.1.1

access-list list_3 extended permit ip 10.100.0.0 255.255.0.0 any

will list 2 be used first if going to host 65.1.1.1 in EVERY case because the nat-id is lower than the other nat

thanks

carlos fernandez

Collin Clark · ‎05-15-2009

The NAT will match the global, which is mapped to the ACL. Are you saying you have multiple globals assigned to an interface and the ACL's have the same source and you want to know which will happen first?

insomniacgames_nc · ‎05-15-2009

yes. forgot the global cmds

access-list list_2 extended permit ip 10.100.0.0 255.255.0.0 host 65.1.1.1

access-list list_3 extended permit ip 10.100.0.0 255.255.0.0 any

global (outside) 2 65.2.2.2

global (outside) 3 65.3.3.3

nat (inside) 2 access-list list_1

nat (inside) 3 access-list list_2

If I am trying to get to 65.1.1.1, will my global source always be 65.2.2.2 because of nat-id order

thanks,

carlos

Collin Clark · ‎05-15-2009

It will, but not because of nat-id order (I believe), it will because access list 2 is a longer match.

View solution in original post

insomniacgames_nc · ‎05-15-2009

just thought of this

what I need is

access-list list_3 extended deny ip 10.100.0.0 255.255.0.0 host 65.1.1.1

access-list list_3 extended permit ip 10.100.0.0 255.255.0.0 host 65.1.1.1

carlos