Which NAT gets applied? 1

[lgarner]

I haven't found this explained in any of the study guides. Consider this scenario.

ip address inside 10.1.0.1 255.255.0.0
ip address dmz 10.2.0.1 255.255.0.0
ip address outside 172.16.1.1 255.255.255.0

! all internal traffic uses PAT to get outside
nat (inside) 1 0 0
global (outside) 1 interface

! internal net 10.1.x.x uses no nat to dmz net 10.2.x.x
access-list dmznat permit ip 10.1.0.0 255.255.255.0 10.2.0.0 255.255.255.0
nat (inside) 0 access-list dmznat

! internal hosts in 10.1.1.x subnet PAT to public addr 172.16.1.3
nat (inside) 2 10.1.1.0 255.255.255.0
global (outside) 2 172.16.1.3 255.255.255.255

My question is: What determines the order in which NAT is applied? Is it applied in numerical order (0,1,2), or does the Pix apply the most specific nat while using nat 0 to override all others (0,2,1)?

Thanks.

 

[chicocouk]

From the PIX command reference docs, when deciding between your nat (1) and nat (2) statements;

"nat (regular NAT)—Best match. The order of the NAT commands does not matter. The nat statement that best matches the local traffic is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you also create a statement to translate only 10.1.1.1, when 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the local traffic best. "

Nat 0 when used in your example (nat exemption, rather than identity nat) takes precedence over all other nat or static commands.

Full info here;

http://www.cisco.com/en/US/products...erence_chapter09186a00801727ab.html#wp1187007

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[lgarner]

Great, thanks. That's what I figured, but just wasn't finding a reference.