Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

137
Views
0
Helpful
3
Replies
stoneystone
stoneystone Beginner
Beginner
‎08-30-2009 07:06 PM
‎08-30-2009 07:06 PM

nat Question

I have a question about nat. I have the following config in a ASA firewall:

nat (outside) 4 10.0.0.99 255.255.255.255

nat (outside) 4 10.0.1.66 255.255.255.255

nat (outside) 4 10.0.0.128 255.255.255.255

nat (outside) 4 10.0.1.0 255.255.255.0

nat (outside) 0 10.1.0.0 255.255.255.0

nat (outside) 0 10.2.0.0 255.255.255.0

Are there nat commands that are doing the same? If I understand nat'ing, this command:

nat (outside) 4 10.0.1.0 255.255.255.0

covers these commands

nat (outside) 4 10.0.1.66 255.255.255.255

And these:

nat (outside) 4 10.0.1.0 255.255.255.0

covers?

nat (outside) 4 10.0.1.66 255.255.255.255

are doing the same thing.

Also,

nat (name) 5 172.19.0.222 255.255.255.255

nat (name) 2 172.19.0.0 255.255.255.0

Which command will the FW look at first? Is the first command necessary?

I would appreciate an explanation of these natting commands. I have a situation of many natting commands and it looks like some are doing the same thing.

Labels:
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hitesh Vinzoda
Hitesh Vinzoda Enthusiast
Enthusiast
‎09-01-2009 08:14 AM
‎09-01-2009 08:14 AM

Re: nat Question

Hi,

Please rate the post.. if the answer was helpful

Regards

Hitesh Vinzoda

View solution in original post

0 Helpful
Reply
3 REPLIES 3
Hitesh Vinzoda
Hitesh Vinzoda Enthusiast
Enthusiast
‎08-30-2009 10:40 PM
‎08-30-2009 10:40 PM

Re: nat Question

The security appliance matches real addresses to NAT commands in the following order:

1. NAT exemption (nat 0 access-list)-In order, until the first match. Identity NAT is not included in

this category; it is included in the regular static NAT or regular NAT category. We do not recommend

overlapping addresses in NAT exemption statements because unexpected results can occur.

2. Static NAT and Static PAT (regular and policy) (static)-In order, until the first match. Static

identity NAT is included in this category.

3. Policy dynamic NAT (nat access-list)-In order, until the first match. Overlapping addresses are

allowed.

4. Regular dynamic NAT (nat)-Best match. Regular identity NAT is included in this category. The

order of the NAT commands does not matter; the NAT statement that best matches the real address

is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an

interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you

can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific

statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using

overlapping statements; they use more memory and can slow the performance of the security

appliance.

HTH

Regards

Hitesh Vinzoda

0 Helpful
Reply
stoneystone
stoneystone Beginner
Beginner
‎09-01-2009 06:27 AM
‎09-01-2009 06:27 AM

Re: nat Question

Hitesh,

Thanks for the explaination. I appreciate your time.

0 Helpful
Reply
Highlighted
Hitesh Vinzoda
Hitesh Vinzoda Enthusiast
Enthusiast
‎09-01-2009 08:14 AM
‎09-01-2009 08:14 AM

Re: nat Question

Hi,

Please rate the post.. if the answer was helpful

Regards

Hitesh Vinzoda

View solution in original post

0 Helpful
Reply
Latest Contents
Community Live video- Getting to know Cisco SD-WAN
Created by hiarteag on 12-13-2019 11:11 AM
0
0
0
0
Community Live video- Getting to know Cisco SD-WAN (Live event - formerly known as Webcast-  Wednesday December 11, 2019 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris) This event had place on Wednesday 11th, December 2019 at 10hrs PDT  This sessio... view more
CDP/LLDP neighbors via SNMP - command line tools
Created by Oleg Volkov on 12-12-2019 09:07 AM
2
0
2
0
Hi!Need to find network devices but not want to open SSH and do show cdp nei, show lldp nei and then need to sh cdp nei gig0/1 det and more.... ?Now You can do from PowerShell.\cdplldp.exe -v v3 -u <SNMPv3 user> -a SHA -w <SNMPv3 authkey> -pp ... view more
Community Live slides - Getting to know Cisco SD-WAN
Created by ciscomoderator on 12-10-2019 06:56 PM
0
0
0
0
Community Live slides- Getting to know Cisco SD-WAN (Live event - formerly known as Webcast-  Wednesday December 11, 2019 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris) This event had place on Wednesday 11th, December 2019 at 10hrs PDT  This sessi... view more
Ask Me Anything event - Getting to know Cisco SD-WAN
Created by ciscomoderator on 12-10-2019 06:48 PM
0
0
0
0
To   participate   in this event, please use the   button   to ask your questions This topic is a chance to clarify your questions about the Cisco Software-Defined WAN (SD-WAN) solution, its historical roo... view more
Ask Me Anything event - Configuration, Verification, and Tro...
Created by ciscomoderator on 12-09-2019 03:03 PM
0
0
0
0
To   participate   in this event, please use the   button   to ask your questions This topic is a chance to clarify your questions about the configuration, verification, troubleshooting and gener... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad