26-19
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 26 Information About NAT
NAT Rule Order
NAT Rule Order
Network object NAT rules and twice NAT rules are stored in a single table that is divided into three
sections. Section 1 rules are applied first, then section 2, and finally section 3. Table 26-2 shows the
order of rules within each section.
For section 2 rules for example, you have the following IP addresses defined within network objects:
192.168.1.0/24 (static)
192.168.1.0/24 (dynamic)
10.1.1.0/24 (static)
192.168.1.1/32 (static)
172.16.1.0/24 (dynamic) (object def)
172.16.1.0/24 (dynamic) (object abc)
Table 26-2 NAT Rule Table
Table Section Rule Type Order of Rules within the Section
Section 1 Twice NAT Applied on a first match basis, in the order they appear in the
configuration. By default, twice NAT rules are added to
section 1.
Note If you configure VPN, the client dynamically adds
invisible NAT rules to the end of this section. Be sure
that you do not configure a twice NAT rule in this
section that might match your VPN traffic, instead of
matching the invisible rule. If VPN does not work due
to NAT failure, consider adding twice NAT rules to
section 3 instead.
Section 2 Network object NAT Section 2 rules are applied in the following order, as
automatically determined by the adaptive security appliance:
1. Static rules.
2. Dynamic rules.
Within each rule type, the following ordering guidelines are
used:
a. Quantity of real IP addresses—From smallest to
largest. For example, an object with one address will
be assessed before an object with 10 addresses.
b. For quantities that are the same, then the IP address
number is used, from lowest to highest. For example,
10.1.1.0 is assessed before 11.1.1.0.
c. If the same IP address is used, then the name of the
network object is used, in alphabetical order. For
example, abracadabra is assessed before catwoman.
Section 3 Twice NAT Section 3 rules are applied on a first match basis, in the order
they appear in the configuration. You can specify whether to
add a twice NAT rule to section 3 when you add the rule.
To Next Page
Loading...
Need help?
General
