Firewall Wizards mailing list archives
Re: NAT order help
From: "kevin horvath" <kevin.horvath () gmail com>
Date: Fri, 9 Nov 2007 10:17:48 -0500
first, AFAIK they are not in conflict since the translate-from address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?)
they are. the access list for static pat stipulates the 10 net just as the static nat. Static nat wins over static pat.
second, I think they are processed in order
You are thinking as if its an access list (permit or deny) but it works more like routing where the more specific statement wins if they are the same type of translation. Since they aren't and one is static nat then it has more precedence. NOTE: i havent worked on the ASA just alot with the pix but it should be the same, but maybe not so please go to CCO to verify. If you have a lab the best way to learn is to just test it out if unsure. The oder of operation for pix (which should be the same for the ASA since I believe they use the same code base) is as follows: Order of NAT Commands Used to Match Local Addresses (could only find this for the pix 6.3 so it could possibly have changed since this) The firewall matches local traffic to NAT commands in the following order: 1. nat 0 access-list (NAT exemption)—In order, until the first match. For example, you could have overlapping local/destination addresses in multiple nat commands, but only the first command is matched. 2. static (static NAT)—In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements. 3. static {tcp | udp} (static PAT)—In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements. 4. nat nat_id access-list (policy NAT)—In order, until the first match. For example, you could have overlapping local/destination ports and addresses in multiple nat commands, but only the first command is matched. 5. nat (regular NAT)—Best match. The order of the NAT commands does not matter. The nat statement that best matches the local traffic is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you also create a statement to translate only 10.1.1.1, when 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the local traffic best. On Nov 9, 2007 8:58 AM, Avishai Wool <yash () acm org> wrote:
sivakumar first, AFAIK they are not in conflict since the translate-from address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?) second, I think they are processed in order google for "cisco pix command reference" and follow the links to your pix version - I looked at http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1202525 for ASA 7.2 HTH, Avishai On 11/6/07, sivakumar <siva_itech () yahoo com> wrote:Hi, access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1 static(inside,ouside) 1.1.1.2 access-list rule1 0 0 static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0 Please tell me which statement will take precedence - policy NAT ot Static NAT.. -- View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213 Sent from the Firewall Wizards mailing list archive at Nabble.com. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards-- Avishai Wool, Ph.D., Co-founder and Chief Technical Officer http://www.algosec.com ******* Firewall Management Made Smarter ****** _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- NAT order help sivakumar (Nov 08)
- Re: NAT order help kevin horvath (Nov 09)
- Re: NAT order help Avishai Wool (Nov 09)
- Re: NAT order help kevin horvath (Nov 09)
- Re: NAT order help Avishai Wool (Nov 12)
- Re: NAT order help kevin horvath (Nov 13)
- Re: NAT order help sivakumar (Nov 14)
- Re: NAT order help kevin horvath (Nov 14)
- Re: NAT order help kevin horvath (Nov 09)