Friday, 3 June 2011

NAT Order of Operation in Cisco Firewall (ASA/PIX)

  1. nat 0 access-list (nat-exempt)
  2. match against existing xlates
  3. static statements

    1. static nat with and without access-list (first match)
    2. static pat with and without access-list (first match) 
  4. nat
    1. nat access-list (first match) 

      Note: The nat 0 access-list command is not part of this command.
    2. nat (best match) 

      Note: When choosing a global address from multiple pools with the same NAT ID, this order is attempted:
      1. If the ID is 0, create an identity xlate.
      2. Use the global pool for the dynamic NAT.
      3. Use the global pool for the dynamic PAT.      

No comments:

Post a Comment