NAT order of Operation
There are many different types of NAT rules you can configure on Cisco ASA firewalls depending upon the type of code version the ASA firewall is running with. Besides knowing how to configure NAT rules, it’s important to understand the NAT order of operation. This articles describes an order of operation for all NATs on Cisco ASA firewalls running pre and post 8.3 software code versions. You can use this article as a quick reference while troubleshooting NAT issues.
For before 8.3(1) software code version of a Cisco ASA firewall, the following is the order of operation:
NAT Exemption > Static NAT > Dynamic Policy NAT > Dynamic NAT
- NAT Exemption; For order of operation within NAT exemption, there is no pre-defined rule.
- Static NAT (identity, regular and policy); All static NAT rules are processed in order until the first match found. NAT processing order is determined by NAT configuration order, hence the static NAT configuration order is important.
- Dynamic Policy NAT; All Dynamic policy NAT rules are processed in order until the first match. NAT processing order is determined by configuration order, hence the dynamic policy NAT configuration order is important.
- Dynamic NAT (identity and regular); Dynamic NAT works on a best match basis, hence for these types of dynamic NAT, configuration order is NOT important.
For 8.3(1) and later software code version of a Cisco ASA firewall, the following is the order of operation:
Manual NAT > Static Object NAT or Auto NAT > Dynamic Object NAT or Auto NAT > After-auto Manual NAT or After-auto Twice NAT
- Manual NAT or Twice NAT; Manual NAT rules are processed in order until the first match. NAT processing order is determined by configuration order, hence Manual NAT configuration order is important.
- Static Object NAT or Auto NAT; Order for static Auto NAT is determined based on several factors; By most specific real IP/Network addresses, by numerically lowest IP addresses and then by the lowest alphabetical name of the object.
- Dynamic Object NAT or Auto NAT; Order for dynamic Auto NAT is determined based on several factors; By most specific IP/Network addresses, by numerically lowest IP addresses and then by the lowest alphabetical name of the object.
- After-auto Manual NAT or After-auto Twice NAT; After-auto NAT rules are processed in order until the first match. NAT processing order is determined by configuration order, hence configuration order is important.
I hope you enjoyed this article. Please feel free to leave a comment or feedback.