Re: NAT order help

["kevin horvath" <kevin.horvath () gmail com>]

> first, AFAIK they are not in conflict since the translate-from
> address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?)

they are.  the access list for static pat stipulates the 10 net just
as the  static nat.  Static nat wins over static pat.

> second, I think they are processed in order

You are thinking as if its an access list (permit or deny) but it
works more like routing where the more specific statement wins if they
are the same type of translation.  Since they aren't and one is static
nat then it has more precedence.

NOTE: i havent worked on the ASA just alot with the pix but it should
be the same, but maybe not so please go to CCO to verify.  If you have
a lab the best way to learn is to just test it out if unsure.

The oder of operation for pix (which should be the same for the ASA
since I believe they use the same code base) is as follows:

Order of NAT Commands Used to Match Local Addresses (could only find
this for the pix 6.3 so it could possibly have changed since this)

The firewall matches local traffic to NAT commands in the following order:

1. nat 0 access-list (NAT exemption)—In order, until the first match.
For example, you could have overlapping local/destination addresses in
multiple nat commands, but only the first command is matched.

2. static (static NAT)—In order, until the first match. Because you
cannot use the same local address in static NAT or static PAT
commands, the order of static commands does not matter. Similarly, for
static policy NAT, you cannot use the same local/destination address
and port across multiple statements.

3. static {tcp | udp} (static PAT)—In order, until the first match.
Because you cannot use the same local address in static NAT or static
PAT commands, the order of static commands does not matter. Similarly,
for static policy NAT, you cannot use the same local/destination
address and port across multiple statements.

4. nat nat_id access-list (policy NAT)—In order, until the first
match. For example, you could have overlapping local/destination ports
and addresses in multiple nat commands, but only the first command is
matched.

5. nat (regular NAT)—Best match. The order of the NAT commands does
not matter. The nat statement that best matches the local traffic is
used. For example, you can create a general statement to translate all
addresses (0.0.0.0) on an interface. If you also create a statement to
translate only 10.1.1.1, when 10.1.1.1 makes a connection, the
specific statement for 10.1.1.1 is used because it matches the local
traffic best.

On Nov 9, 2007 8:58 AM, Avishai Wool <yash () acm org> wrote:
> sivakumar
>
> first, AFAIK they are not in conflict since the translate-from
> address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?)
>
> second, I think they are processed in order
>
> google for "cisco pix command reference" and follow the
> links to your pix version - I looked at
>  http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1202525
>
> for ASA 7.2
>
> HTH,
>   Avishai
>
> On 11/6/07, sivakumar <siva_itech () yahoo com> wrote:
> > Hi,
> >
> > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
> >
> > static(inside,ouside) 1.1.1.2 access-list rule1 0 0
> > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
> >
> > Please tell me which statement will take precedence - policy NAT ot Static
> > NAT..
> >
> > --
> > View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213
> > Sent from the Firewall Wizards mailing list archive at Nabble.com.
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () listserv icsalabs com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> --
> Avishai Wool, Ph.D.,  Co-founder and Chief Technical Officer
>                http://www.algosec.com
> ******* Firewall Management Made Smarter ******
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards