- Dynamic NAT
nat (dmz) 2 10.10.10.128 255.255.255.128
global (out) 2 172.16.16.129-172.16.16.254 netmask 255.255.255.128
- Dynamic PAT
ASA2(config)# nat (dmz) 1 10.10.10.0 255.255.255.0
ASA2(config)# global (out) 1 172.16.16.126
- Identity NAT
ASA2(config)# nat (dmz) 0 10.10.10.128 255.255.255.192
- Static NAT
ASA2(config)# static (dmz,out) 172.16.16.140 10.10.10.140
- Static Policy NAT
ASA2(config)# static (dmz,out) 172.18.18.148 access-list STATIC-POLICY1
! For other destinations source address 10.10.10.148 is translated to 172.16.16.148
ASA2(config)# static (dmz,out) 172.16.16.148 10.10.10.148 netmask 255.255.255.255
- Dynamic Policy NAT
access-list DYN-POLICY1 extended permit ip 10.10.10.128 255.255.255.224 host 172.16.16.200
nat (dmz) 4 access-list DYN-POLICY1
global (out) 4 172.17.17.129-172.17.17.158 netmask 255.255.255.224
- Dynamic Policy PAT
access-list DYN-POLICY2 extended permit ip 10.10.10.128 255.255.255.192 host 172.16.16.200
ASA2(config)# nat (dmz) 3 access-list DYN-POLICY2
ASA2(config)# global (out) 3 172.16.16.125
- NAT Exemption
access-list NONAT extended permit ip 10.10.10.128 255.255.255.240 172.16.16.0 255.255.255.0
nat (dmz) 0 access-list NONAT
In what order and precedence is ASA firewall processing various NAT configurations.
NAT precedence rules
NAT Exemption: This is always the first to be checked and has precedence over any other type of NAT rule that eventually conflicts with it.
Static Policy NAT: The motivation for this type of rule is to allow the selection of distinct global addresses for a given laddr, depending on the destination address (faddr) being contacted. This can be thought of as an exception to a generic static statement and, as such, needs to be configured before regular statics.
Static NAT: This is checked before all the Dynamic, Dynamic Policy, and Identity NAT rules. If some hosts that fall within a NAT Exemption range require static translation, the pertinent exceptions in the nat 0 access-list command need to be created, as previously illustrated in Example 8-14.
Dynamic Policy NAT/PAT: These rules are checked before the Dynamic and Identity NAT rules. If two rules of this category exist, the precedence is given by the order in which they were configured (does not matter if is a Policy PAT or Policy NAT).
Identity NAT: This unidirectional translation bypass method is evaluated before any Dynamic NAT or Dynamic PAT rule.
Dynamic NAT: This category has precedence over Dynamic PAT only.
Dynamic PAT: If after running through all the previous NAT types, ASA does not find a match, it still searches for a Dynamic PAT. If no matching rule is located, the implicit deny rule that characterizes the NAT-control model is enforced.
- Cisco Firewalls By: Alexandre M.S.P Moraes, chapter "Outbound NAT Analysis"
- Network Address Translation (NAT) order of operation in the PIX Firewall
- Packet Flow through Cisco ASA Firewall
- Order of NAT Commands Used to Match Real Addresses