Cisco ASAs Firewalls 

NAT order of Operation

Ashutosh Patel 1285 Views 0 Comments , ,
LinkedIn
Facebook
Facebook
Twitter
Google+
https://netfixpro.com/nat-order-of-operation/
RSS
Follow by Email
There are many different types of NAT rules you can configure on Cisco ASA firewalls depending upon the type of code version the ASA firewall is running with. Besides knowing how to configure NAT rules, it’s important to understand the NAT order of operation. This articles describes an order of operation for all NATs on Cisco ASA firewalls running pre and post 8.3 software code versions. You can use this article as a quick reference while troubleshooting NAT issues.
For before 8.3(1) software code version of a Cisco ASA firewall, the following is the order of operation:
NAT Exemption > Static NAT > Dynamic Policy NAT > Dynamic NAT
  • NAT Exemption; For order of operation within NAT exemption, there is no pre-defined rule.
  • Static NAT (identity, regular and policy); All static NAT rules are processed in order until the first match found. NAT processing order is determined by NAT configuration order, hence the static NAT configuration order is important.
  • Dynamic Policy NAT; All Dynamic policy NAT rules are processed in order until the first match. NAT processing order is determined by configuration order, hence the dynamic policy NAT configuration order is important.
  • Dynamic NAT (identity and regular); Dynamic NAT works on a best match basis, hence for these types of dynamic NAT, configuration order is NOT important.
For 8.3(1) and later software code version of a Cisco ASA firewall, the following is the order of operation:
Manual NAT > Static Object NAT or Auto NAT Dynamic Object NAT or Auto NAT > After-auto Manual NAT or After-auto Twice NAT
  • Manual NAT or Twice NAT; Manual NAT rules are processed in order until the first match. NAT processing order is determined by configuration order, hence Manual NAT configuration order is important.
  • Static Object NAT or Auto NAT; Order for static Auto NAT is determined based on several factors; By most specific real IP/Network addresses, by numerically lowest IP addresses and then by the lowest alphabetical name of the object.
  • Dynamic Object NAT or Auto NAT; Order for dynamic Auto NAT is determined based on several factors; By most specific IP/Network addresses, by numerically lowest IP addresses and then by the lowest alphabetical name of the object.
  • After-auto Manual NAT or After-auto Twice NAT; After-auto NAT rules are processed in order until the first match. NAT processing order is determined by configuration order, hence configuration order is important.
I hope you enjoyed this article. Please feel free to leave a comment or feedback.
LinkedIn
Facebook
Facebook
Twitter
Google+
https://netfixpro.com/nat-order-of-operation/
RSS
Follow by Email

Ashutosh Patel

Ashutosh Patel is the Author and editor of netfixpro.com. He currently works as a Network Security Architect. Follow him on following social media to know more about him.

You May Also Like

Deep dive of Chassis Cluster Configuration on Juniper SRX-1500 firewalls

Ashutosh Patel 7

Understand Control plane vs Data Plane log differences on Juniper SRX

Ashutosh Patel 0

Understanding the control plane protection using firewall-filters on Juniper SRX

Ashutosh Patel 0

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons

Enjoy this article? Please spread the word :)