Cisco ASA Series Cli Configuration Manual page 764

Software version 9.0 for the services module
Hide thumbs Also See for ASA Series:
Table of Contents

Advertisement

NAT Rule Order
NAT Rule Order
Network object NAT rules and twice NAT rules are stored in a single table that is divided into three
sections. Section 1 rules are applied first, then section 2, and finally section 3.
of rules within each section.
Table 1-1
Table Section Rule Type
Section 1
Section 2
Section 3
For section 2 rules, for example, you have the following IP addresses defined within network objects:
Cisco ASA Series CLI Configuration Guide
1-18
NAT Rule Table
Twice NAT
Network object NAT Section 2 rules are applied in the following order, as
Twice NAT
192.168.1.0/24 (static)
192.168.1.0/24 (dynamic)
10.1.1.0/24 (static)
192.168.1.1/32 (static)
172.16.1.0/24 (dynamic) (object def)
172.16.1.0/24 (dynamic) (object abc)
Order of Rules within the Section
Applied on a first match basis, in the order they appear in the
configuration. By default, twice NAT rules are added to
section 1.
Note
If you configure EasyVPN remote, the ASA
dynamically adds invisible NAT rules to the end of this
section. Be sure that you do not configure a twice NAT
rule in this section that might match your VPN traffic,
instead of matching the invisible rule. If VPN does not
work due to NAT failure, consider adding twice NAT
rules to section 3 instead.
automatically determined by the ASA:
1.
Static rules.
2.
Dynamic rules.
Within each rule type, the following ordering guidelines are
used:
a.
Quantity of real IP addresses—From smallest to
largest. For example, an object with one address will
be assessed before an object with 10 addresses.
b.
For quantities that are the same, then the IP address
number is used, from lowest to highest. For example,
10.1.1.0 is assessed before 11.1.1.0.
c.
If the same IP address is used, then the name of the
network object is used, in alphabetical order. For
example, abracadabra is assessed before catwoman.
Section 3 rules are applied on a first match basis, in the order
they appear in the configuration. You can specify whether to
add a twice NAT rule to section 3 when you add the rule.
Chapter 1
Information About NAT
Table 1-1
shows the order

Advertisement

Table of Contents
loading

Table of Contents