NAT Rule Order

Chapter 3 Information About NAT (ASA 8.3 and Later)

NAT Rule Order

Network object NAT rules and twice NAT rules are stored in a single table that is divided into three sections. Section 1 rules are applied first, then section 2, and finally section 3, until a match is found. For example, if a match is found in section 1, sections 2 and 3 are not evaluated. Table 3-1shows the order of rules within each section.

Table 3-1	NAT Rule Table

Table Section	Rule Type	Order of Rules within the Section

Section 1	Twice NAT	Applied on a first match basis, in the order they appear in the
		configuration. Because the first match is applied, you must
		ensure that specific rules come before more general rules, or
		the specific rules might not be applied as desired. By default,
		twice NAT rules are added to section 1.
		Note If you configure EasyVPN remote, the ASA
			dynamically adds invisible NAT rules to the end of this
			section. Be sure that you do not configure a twice NAT
			rule in this section that might match your VPN traffic,
			instead of matching the invisible rule. If VPN does not
			work due to NAT failure, consider adding twice NAT
			rules to section 3 instead.

Section 2	Network object NAT	If a match in section 1 is not found, section 2 rules are applied
		in the following order, as automatically determined by the
		ASA:
		1.	Static rules.
		2.	Dynamic rules.
		Within each rule type, the following ordering guidelines are
		used:
			a. Quantity of real IP addresses—From smallest to
			largest. For example, an object with one address will
			be assessed before an object with 10 addresses.
			b. For quantities that are the same, then the IP address
			number is used, from lowest to highest. For example,
			10.1.1.0 is assessed before 11.1.1.0.
			c. If the same IP address is used, then the name of the
			network object is used, in alphabetical order. For
			example, abracadabra is assessed before catwoman.

Section 3	Twice NAT	If a match is still not found, section 3 rules are applied on a first
		match basis, in the order they appear in the configuration. This
		section should contain your most general rules. You must also
		ensure that any specific rules in this section come before
		general rules that would otherwise apply. You can specify
		whether to add a twice NAT rule to section 3 when you add the
		rule.

Cisco ASA Series Firewall ASDM Configuration Guide

3-20

ASA Services Module, ASA 5555-X, ASA 5545-X, ASA 5585-X, ASA 5580 specifications

Cisco Systems has long been a leader in the field of network security, and its Adaptive Security Appliance (ASA) series is a testament to this expertise. Within the ASA lineup, models such as the ASA 5505, ASA 5580, ASA 5585-X, ASA 5545-X, and ASA 5555-X stand out for their unique features, capabilities, and technological advancements.

The Cisco ASA 5505 is designed for small businesses or branch offices. It provides essential security features such as firewall protection, flexible VPN capabilities, and intrusion prevention. The ASA 5505 supports a user-friendly interface, allowing for straightforward management. Its built-in threat detection and prevention tools provide a layered defense, and with scalability in mind, it can accommodate various expansion options as organizational needs grow.

Moving up the line, the ASA 5580 delivers greater throughput and advanced security features. This model is suited for medium to large enterprises that require robust protection against increasingly sophisticated threats. Its multi-core architecture allows it to manage high volumes of traffic seamlessly while maintaining excellent performance levels. The ASA 5580 also supports application-layer security and customizable access policies, making it highly adaptable to diverse security environments.

The ASA 5585-X further enhances Cisco's security offerings with advanced malware protection and extensive security intelligence capabilities. It incorporates next-generation firewall features, including context-aware security, and supports advanced threat detection technologies. This model is ideal for large enterprises or data centers that prioritize security while ensuring uninterrupted network performance and availability.

For enterprises requiring a balance of performance and security, the ASA 5545-X presents a compelling option. This model features scalable performance metrics, high availability, and integrated advanced threat protection. Coupled with advanced endpoint protection and detailed monitoring capabilities, the ASA 5545-X enables organizations to manage their security posture effectively.

Lastly, the ASA 5555-X blends cutting-edge technologies with strong security infrastructures. It boasts high throughput and the ability to execute deep packet inspections. Its sophisticated architecture supports threat intelligence feeds that provide real-time security updates, making it a powerful tool against modern threats.

Each of these Cisco ASA models brings specific advantages to varied environments. Their integrative capabilities enable businesses to enhance their security postures while benefiting from seamless scalability and management. As cybersecurity threats evolve, these advanced appliances play a vital role in protecting valuable digital assets.

Cisco Systems ASA 5580, ASA 5505 manual NAT Rule Order, Rule Type Order of Rules within the Section

Models: ASA Services Module ASA 5555-X ASA 5545-X ASA 5585-X ASA 5580 ASA 5505

Rule Type

Order of Rules within the Section

ASA:

Cisco ASA Series Firewall ASDM Configuration Guide

ASA Services Module, ASA 5555-X, ASA 5545-X, ASA 5585-X, ASA 5580 specifications