Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
0
Helpful
3
Replies

nat Question

Go to solution
stoneystone
Level 1
Level 1

‎08-30-2009 07:06 PM - last edited on ‎03-25-2019 04:07 PM by Community Manager

I have a question about nat. I have the following config in a ASA firewall:

nat (outside) 4 10.0.0.99 255.255.255.255

nat (outside) 4 10.0.1.66 255.255.255.255

nat (outside) 4 10.0.0.128 255.255.255.255

nat (outside) 4 10.0.1.0 255.255.255.0

nat (outside) 0 10.1.0.0 255.255.255.0

nat (outside) 0 10.2.0.0 255.255.255.0

Are there nat commands that are doing the same? If I understand nat'ing, this command:

nat (outside) 4 10.0.1.0 255.255.255.0

covers these commands

nat (outside) 4 10.0.1.66 255.255.255.255

And these:

nat (outside) 4 10.0.1.0 255.255.255.0

covers?

nat (outside) 4 10.0.1.66 255.255.255.255

are doing the same thing.

Also,

nat (name) 5 172.19.0.222 255.255.255.255

nat (name) 2 172.19.0.0 255.255.255.0

Which command will the FW look at first? Is the first command necessary?

I would appreciate an explanation of these natting commands. I have a situation of many natting commands and it looks like some are doing the same thing.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Hitesh Vinzoda
Level 4
Level 4
In response to stoneystone

‎09-01-2009 08:14 AM

Hi,

Please rate the post.. if the answer was helpful

Regards

Hitesh Vinzoda

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Hitesh Vinzoda
Level 4
Level 4

‎08-30-2009 10:40 PM

The security appliance matches real addresses to NAT commands in the following order:

1. NAT exemption (nat 0 access-list)-In order, until the first match. Identity NAT is not included in

this category; it is included in the regular static NAT or regular NAT category. We do not recommend

overlapping addresses in NAT exemption statements because unexpected results can occur.

2. Static NAT and Static PAT (regular and policy) (static)-In order, until the first match. Static

identity NAT is included in this category.

3. Policy dynamic NAT (nat access-list)-In order, until the first match. Overlapping addresses are

allowed.

4. Regular dynamic NAT (nat)-Best match. Regular identity NAT is included in this category. The

order of the NAT commands does not matter; the NAT statement that best matches the real address

is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an

interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you

can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific

statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using

overlapping statements; they use more memory and can slow the performance of the security

appliance.

HTH

Regards

Hitesh Vinzoda

0 Helpful

Go to solution
stoneystone
Level 1
Level 1
In response to Hitesh Vinzoda

‎09-01-2009 06:27 AM

Hitesh,

Thanks for the explaination. I appreciate your time.

0 Helpful

Go to solution
Hitesh Vinzoda
Level 4
Level 4
In response to stoneystone

‎09-01-2009 08:14 AM

Hi,

Please rate the post.. if the answer was helpful

Regards

Hitesh Vinzoda

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card