The order of operations is this:
The ASA checks the static NAT/PAT entries in sequential order. Meaning they both have the same precedence so the order will be determined by configuration order. The sequential order is the order they are configured on the ASA. This should answer your questions. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of --Hammer-- Sent: Wednesday, August 04, 2010 11:54 AM To: Kingsley Charles Cc: [email protected] Subject: Re: [OSL | CCIE_Security] static nat order So it's not in the NAT order of operations guide on CCO. But, I did find an example where something similar was used. I think the idea is that you can do a per-port NAT (not PAT/overload) to different IPs or the same. As long as the more specific (Think ACL operations) statics are applied first. If anyone has something clearly stating this I would love to see it. MIGHT REQUIRE CCO ACCESS http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech _note09186a00804708b4.shtml static (inside,outside) tcp 172.18.124.99 telnet 10.1.1.6 telnet netmask 255.255.255.255 0 0 static (inside,outside) tcp 172.18.124.99 ftp 10.1.1.3 ftp netmask 255.255.255.255 0 0 --Hammer-- On 8/4/2010 10:29 AM, Kingsley Charles wrote: I am also thinking on the same line. Just wanted to confirm, if it's a feature? With regards Kings On Wed, Aug 4, 2010 at 8:57 PM, --Hammer-- <[email protected]> wrote: Isn't that "less specific rule first" being allowed and that is why Try 2 works? I'm asking more than telling. --Hammer-- On 8/4/2010 10:23 AM, Kingsley Charles wrote: Hi all If you check out the Try 1, I am not able to static PAT with 10.20.30.40 as there is a static rule for with 10.20.30.40. But if I try in the reverse order ASA accepts. Does that mean static rules are executed in order? Hence with Try 2 the static PAT is matched first and then static rule is matched or is it a bug? Try 1 asa(config)# static (inside,outisde) 1.2.3.4 10.20.30.40 asa(config)# static (inside,outisde) tcp 1.2.3.4 telnet 10.20.30.40 telnet ne$ ERROR: mapped-address conflict with existing static inside:10.20.30.40 to outisde:1.2.3.4 netmask 255.255.255.255 asa(config)# sh run static static (inside,outisde) 1.2.3.4 10.20.30.40 netmask 255.255.255.255 Try 2 asa(config)# static (inside,outisde) tcp 1.2.3.4 23 10.20.30.40 23 asa(config)# static (inside,outisde) 1.2.3.4 10.20.30.40 asa(config)# sh run static static (inside,outisde) tcp 1.2.3.4 telnet 10.20.30.40 telnet netmask 255.255.255.255 static (inside,outisde) 1.2.3.4 10.20.30.40 netmask 255.255.255.255 With regards Kings With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
