Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA - NAT rule order via CLI?

Status
Not open for further replies.
kythri

kythri

Technical User
Jan 21, 2003
116
US
How do I alter the order of static NAT rules via the CLI?

I'm adding several static NATs to my ASA, and they automatically appear at the end of the NAT entries. In order to move them to where I need/want them, I currently am forced to use the GUI and either cut/paste or use the "Move Up/Move Down" buttons.

Is there a way to more easily insert these rules between existing rules in the CLI, or to renumber them?
 
Sort by date Sort by votes
In 8.2 and before - no there's not. When you you use arrows the ASDM will end up issuing a bunch on "no static..." and re-adding them in the desired order. You can do that too.
 
Upvote 0 Downvote
We're running 8.3(2).

I think we've found it - there's a way to number the NAT rule:

nat (interface,interface) ### source etc.

That ### is where the rule will be placed.

Solved my issue!

Thanks!
 
Upvote 0 Downvote
Another thing to keep in mind is that before anything gets NATted, it must be permitted in an acl. The ASA checks for acl entries to ensure the traffic is allowed, THEN NAT is applied. I understand you're only concerned with the NAT itself and reordering.

Also, you can put new ACEs in an acl and use the keyword "inactive" at the end

access-list duh permit tcp host 10.22.22.12 host 10.1.2.3 eq 22 inactive
access-list duh permit tcp 10.22.22.0 255.255.255.0 host 10.1.2.3 eq 22
access-list duh permit tcp 172.25.22.0 255.255.255.0 host 10.1.2.3 eq 22

I can use this next function to reorder the ACEs or put the last deny ip any any at line 800, because I want to log all unallowed attempts and still have room between the permit ACEs and the last deny...

access-list duh line 800 extended deny ip any any log

note the need of the keyword "extended" when using the "line ###" function.

10 ? "TIMMAY!!!"
20 goto 10
run
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
309
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
279
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
187
gkreg
gkreg
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
198
AllenH12
AllenH12
quar
  • Locked
  • Question
Moving a rule
Replies
2
Views
157
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top