Order of Processing NAT Rules
Network Object NAT and twice NAT rules are stored in a single table that is divided into three sections. Section 1 rules are applied first, then section 2, and finally section 3, until a match is found. For example, if a match is found in section 1, sections 2 and 3 are not evaluated. The following table shows the order of rules within each section.
|
Table Section |
Rule Type |
Order of Rules within the Section |
|---|---|---|
|
Section 1 |
Twice NAT (ASA) Manual NAT (FTD) |
Applied on a first match basis, in the order they appear in the configuration. Because the first match is applied, you must ensure that specific rules come before more general rules, or the specific rules might not be applied as desired. By default, twice NAT rules are added to section 1. |
|
Section 2 |
Network Object NAT (ASA) Auto NAT (FTD) |
If a match in section 1 is not found, section 2 rules are applied in the following order:
Within each rule type, the following ordering guidelines are used:
|
|
Section 3 |
Twice NAT (ASA) Manual NAT (FTD) |
If a match is still not found, section 3 rules are applied on a first match basis, in the order they appear in the configuration. This section should contain your most general rules. You must also ensure that any specific rules in this section come before general rules that would otherwise apply. |
For section 2 rules, for example, you have the following IP addresses defined within network objects:
-
192.168.1.0/24 (static)
-
192.168.1.0/24 (dynamic)
-
10.1.1.0/24 (static)
-
192.168.1.1/32 (static)
-
172.16.1.0/24 (dynamic) (object Detroit)
-
172.16.1.0/24 (dynamic) (object Arlington)
The resultant ordering would be:
-
192.168.1.1/32 (static)
-
10.1.1.0/24 (static)
-
192.168.1.0/24 (static)
-
172.16.1.0/24 (dynamic) (object Arlington)
-
172.16.1.0/24 (dynamic) (object Detroit)
-
192.168.1.0/24 (dynamic)