NAT Rule Order

NAT statements on an ASA are automatically categorised into one of three groups, or “sections”, by the operating system.

Any NAT statements in section 1 are processed first, followed by section 2, and then finally section 3. You can see how your NATs are categorised by using the command “show nat”. For example below you can see NATs in each section:

ASA1# show nat

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static host1-real host1-mapped   destination static google1-mapped google1-real
    translate_hits = 424, untranslate_hits = 2544
2 (inside) to (outside) source static host1-real host1-mapped   destination static google2-mapped google2-real
    translate_hits = 7, untranslate_hits = 7

Auto NAT Policies (Section 2)
1 (any) to (any) source static host1-real host1-mapped
    translate_hits = 8090, untranslate_hits = 22230

Manual NAT Policies (Section 3)
1 (inside) to (outside) source static host2-manual-real host2-manual-mapped
    translate_hits = 0, untranslate_hits = 0

The reason for categorising NAT into sections is to ensure a consistent logical framework for how NAT statements are processed.

To understand how NAT is categorised by the ASA you need to understand the different types of NAT and how they are configured. Essentially there are two types:

1) Manual NAT – configured using the NAT command

2) Auto NAT (Also called Network Object NAT) – configured from within an Object. It is essentially an easier way to configure NAT and was introduced from software version 8.4

By default, any NAT that is configured as Manual NAT will be placed into section 1. Any NAT that is configured within a Network Object (Auto NAT) is placed into section 2. Section 3 NATs, are Manual NAT statements that would normally go in section 1, but instead, you configure to be in section 3 using the “after-auto” command.

Note that Twice NAT can only be configured manually, so by default will go into section 1

Section 1 Example

Below is a “Manual NAT” static NAT configuration:

ASA1(config)# nat (inside,outside) source static host1-real host1-mapped
ASA1(config)# nat (inside,outside) source static host2-real host2-mapped

If we now do “show nat” we will see this NAT configuration has been placed into section 1. 

ASA1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static host1-real host1-mapped
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static host1-real host2-mapped
    translate_hits = 0, untranslate_hits = 0

Notice that within section 1, each NAT statement is numbered. This is the order in which NAT is processed within the section. However, this can be manually changed. For example, below you can see a new static NAT added in position 1.

ASA1(config)# nat (inside,outside) 1 source static host3-real host3-mapped

ASA1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static host3-real host3-mapped
    translate_hits = 0, untranslate_hits = 8
2 (inside) to (outside) source static host1-real host1-mapped
    translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static host2-real host2-mapped
    translate_hits = 0, untranslate_hits = 0

Section 2 Example

Below is an “Auto NAT” static NAT example 

asa1(config)# object network host1-real
asa1(config-network-object)# host 10.1.1.201
asa1(config-network-object)# nat (inside, outside) static host1-mapped

ASA1# show nat
<snip>

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static host1-real host1-mapped
    translate_hits = 0, untranslate_hits = 0

As can be seen with the “show nat” command, this Auto Nat configuration has been placed into section 2 and will be processed after any statements in section 1. As per section 1, each statement within section 2 is numbered, however unlike section 1 the order cannot be manually changed, and instead follows a number of rules (see Order of Execution).

Section 3 Example

Below is a “Manual NAT” static NAT configuration that has been placed into section 3 using the “after-auto” command:

ASA1(config)nat (inside,outside) after-auto source static host4-real host4-mapped

ASA1# show nat
<snip>

Manual NAT Policies (Section 3)
1 (inside) to (outside) source static host4-real host4-mapped
    translate_hits = 0, untranslate_hits = 0

Order of Execution

Within each section, there are rules that determine the order the NAT statements are processed. This is outlined in the table below:

Section Type of NATOrder of Execution with section
Section 1
Manual NATProcessed as per the order in the config, therefore more specific NATs should be configured before more general NATs

Static NATs should come before Dynamic NATs

NATs that have both a source and destination configured, should come before source only NATs
Section 2Auto NATProcessed within each object, using the following rules:

1) Quantity of real IP addresses – Objects with fewer real addresses are processed first

2) Lower IP address – For objects with equal numbers of addresses the lower IP address is processed first e.g. 10.1.1.1 is processed before 10.2.2.2

3) Same IP – If objects have the same real IP address then the object with the lower alphabetical name is processed first.
Section 3Manual NATAs per section 1
Unknown's avatar

Author: Simon Chamberlain

An experienced Network Professional writing yet another blog

Leave a comment