Cisco ASA NAT rule positioning

When you add a new NAT-rule via the CLI of a Cisco ASA, the newly added rule will be appended to the NAT rule list. Tradionally you will have a NAT-hide rule at the very end, in order to provide your clients with IP connectivity to the Internet.

Fortunately there is a way to choose the position of your NAT rule:

nat (inside,outside) <Position within the NAT rule list> <NAT-parameters>

I have not found a way to rearrange exisiting NAT rules without deleting and re-instating a NAT-rule with the appropriate position.

Read more to see some examples.

The following example displays how to configure a new NAT-rule which is not appended at the end of your list.

Current NAT rule list
nat (mgmt,outside) source static grp.privateC-192.168.0.0 grp.privateC-192.168.0.0 destination static NETWORK_OBJ_192.168.70.0_24 NETWORK_OBJ_192.168.70.0_24 no-proxy-arp route-lookup
nat (any,any) source static grp.privateC-192.168.0.0 grp.privateC-192.168.0.0 destination static grp.privateC-192.168.0.0 grp.privateC-192.168.0.0 no-proxy-arp
nat (any,any) source static grp.privateC-192.168.0.0 grp.privateC-192.168.0.0 destination static external.support-122.133.211.222 external.support-122.133.211.222 no-proxy-arp
nat (any,outside) source dynamic any interface

Now I want to add an additional Hide rule which hides my clients behind a different IP address when accessing a specific external IP address.

Obviously I want the rule to be prior to the current last rule to avoid the traffic being NATed behind my defauly hide rule

CiscoASA(config)# nat (any,outside) 4 source dynamic grp.privateC-192.168.0.0 NAT.ip.154.145.155.144 destination static grp.ext.hosts grp.ext.hosts
CiscoASA(config)# show run nat
nat (mgmt,outside) source static grp.privateC-192.168.0.0 grp.privateC-192.168.0.0 destination static NETWORK_OBJ_192.168.70.0_24 NETWORK_OBJ_192.168.70.0_24 no-proxy-arp route-lookup
nat (any,any) source static grp.privateC-192.168.0.0 grp.privateC-192.168.0.0 destination static grp.privateC-192.168.0.0 grp.privateC-192.168.0.0 no-proxy-arp
nat (any,any) source static grp.privateC-192.168.0.0 grp.privateC-192.168.0.0 destination static external.support-122.133.211.222 external.support-122.133.211.222 no-proxy-arp
nat (any,outside) source dynamic grp.privateC-192.168.0.0 NAT.ip.154.145.155.144 destination static grp.ext.hosts grp.ext.hosts
nat (any,outside) source dynamic any interface

Here we can see the rule has been inserted in position four.

 

5.00 avg. rating (99% score) - 2 votes

Leave a Reply

Your email address will not be published. Required fields are marked *