NAT question

[oddyager]

say you have something like this:

static (inside,int10) 10.10.0.0 10.10.0.0 netmask 255.255.0.0 0 0
static (inside,int10) 20.20.1.1 10.10.10.1 netmask 255.255.255.255 0 0

the first statement NATs the entire Class B subnet to itself and the second applies a different NAT for a single host within that class B. How does the PIX know which to use?

 

[Crusty]

I would imagine that the first rule that matches will be used in the translation, but I could be wrong 🙂

 

[spidey07]

I'm pretty sure the longest match (mask length) is used.

 

[Crusty]

Originally posted by: spidey07
I'm pretty sure the longest match (mask length) is used.

That would make sense, it would allow you to apply general translation rules for a network but still have more specific rules.

 

[spidey07]

Not only that but think about how the ASICs are programmed, there's a specific result code that makes the longer mask picked. But I'm not really an expert on PIX architecture, I HAVE to assume NAT is done in hardware. I'm sure there's documentation on cisco.com to answer this finally, most likely in the reference manual.

 

[oddyager]

Thanks all. The PIX does return a warning that the host/subnet you are NAT-ing falls under another NAT rule but it permits the statement either way.

 

[RadiclDreamer]

Originally posted by: spidey07
I'm pretty sure the longest match (mask length) is used.

Correct, same on the ASA