From: Israel Gonzalez (isrgonza) (isrgonza@cisco.com)
Date: Wed Jun 25 2008 - 11:58:05 ART
Hi,
As far as I know, this is how the NAT process criteria works:
nat 0 access-list (nat-exempt)
Match existing xlates
Match static commands (first match)
Static NAT with and without access-list
Static PAT with and without access-list
Match nat commands
nat <id> access-list (first match)
nat <id> <address> <mask> (best match)
If the ID is 0, create an identity xlate
Use global pool for dynamic NAT
Use global pool for dynamic PAT
Hope that helps....
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Trevor Angus
Sent: Wednesday, June 25, 2008 9:13 AM
To: Tim; Naji Talj; security@groupstudy.com
Cc: Cisco certification
Subject: RE: PIX/ASA NAT
The order of NAT entries IS important to an extent. Have a look on
univercd, there is an order of NAT translation section. It has to do
with assigned priority for different types of NAT and within each
priority group it is processed top down.
cheers
Trevor
CCIE 19552
-----Original Message-----
From: Tim [mailto:ccie2be@nyc.rr.com]
Sent: 25 June 2008 03:33 PM
To: 'Naji Talj'; security@groupstudy.com
Cc: 'Cisco certification'
Subject: RE: PIX/ASA NAT
Hey Naji,
Did you know there's another post that says the exact opposite !!!
How sure are you?
I figure the nat statements are processed more like a route table -
longest
match wins.
But, a post yesterday, says it's really like how an ACL is processed.
I don't know who is correct but I know you can't both be correct.
-----Original Message-----
From: Naji Talj [mailto:ntalj@dcgroup.com]
Sent: Wednesday, June 25, 2008 8:13 AM
To: Tim
Subject: RE: PIX/ASA NAT
Hi Tim,
The sequence doesn't matter the most matching entry executes
Rgds,
Naji Talj
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Tim
Sent: Tuesday, June 24, 2008 8:28 PM
To: security@groupstudy.com
Subject: PIX/ASA NAT
Hi Guys,
Does it matter in which order I enter nat commands?
For example,
nat (inside) 1 192.10.1.0 255.255.255.0
nat (inside) 2 0 0
(Assume I have the correct globals.)
versus
nat (inside) 1 0 0
nat (inside) 2 192.10.1.0 255.255.255.0
Given these config snippets, will the same thing happen for a packet
with a
source address of 192.10.1.x with either config?
If so, is the reason because nat commands are evaluated like a route
table
ie most specific match takes precedence?
Thanks, Tim
No virus found in this incoming message.
Checked by AVG.
Version: 8.0.101 / Virus Database: 270.4.1/1517 - Release Date:
6/24/2008 8:41 PM
This message and/or attachment(s) may contain privileged or confidential
information. If you are not the intended recipient you may not disclose
or
distribute any of the information contained within this message. In such
case you must destroy this message and inform the sender of the error.
T-Systems does not accept liability for any errors, omissions,
information
and viruses contained in the transmission of this message. Any opinions,
conclusions and other information contained within this message not
related
to T-Systems' official business is deemed to be that of the individual
only
and is not endorsed by T-Systems.
T-Systems - Business Flexibility
This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:23 ART