Order of NAT Processing

Just a quick post about NAT processing when it comes to the Cisco ASA platform. When configuring different types of NAT (NAT Exemption, Policy NAT) there can be some overlap. The Cisco ASA will run through the NAT translation types configured on the firewall, until the first match is found. Here is the list in order.

  • NAT Exemption (nat 0 access-list)
  • Policy NAT (static with access-list)
  • Static NAT
  • Static PAT
  • Policy NAT (nat with access-list)
  • Dynamic NAT
  • Dynamic PAT

Notice that Policy NAT gets processed twice, first for the nat/global commands, which will only yield a unidirectional connection. Second is for Policy NAT rules configured using the static command, these rules are bidirectional, so do some due diligence when it comes to configuring your NAT rules.

May 22nd, 2011 • Posted in ASA, NAT, Routing, Troubleshooting
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>