Friday, 3 June 2011

NAT 0 statement in Cisco FIrewall (PIX/ASA)

NAT 0 STATEMENT:

nat (inside_interface_name) 0


NAT 0 has two affects:
   
  1. nat (inside_interface_name) 0 access-list 101 

    This works exactly the same way as static, except it bypasses NAT.  It does not require the connection to be initiated from the higher security interface before the host on the lower security interface can create a connection to the host on the higher security level interface.
  2. nat (inside_interface_name) 0 0.0.0.0 0.0.0.0 

    This bypasses NAT, but requires the host on the higher security interface to first initiate a connection to the host on the lower security interface before the host on the lower security interface can initiate
    a connection.

NAT Order of Operation in Cisco Firewall (ASA/PIX)

  1. nat 0 access-list (nat-exempt)
  2. match against existing xlates
  3. static statements

       
    1. static nat with and without access-list (first match)
    2. static pat with and without access-list (first match) 
       
  4. nat
       
    1. nat access-list (first match) 

      Note: The nat 0 access-list command is not part of this command.
    2. nat (best match) 

      Note: When choosing a global address from multiple pools with the same NAT ID, this order is attempted:
             
      1. If the ID is 0, create an identity xlate.
      2. Use the global pool for the dynamic NAT.
      3. Use the global pool for the dynamic PAT.