When looking for a matching translation policy, the appliance goes through the following steps:
1. The appliance looks for an existing translation in the translation table; sometimes Cisco will refer to this as trying to find a “matching xlate slot” in the translation table.
2. If no entry exists in the translation table, the appliance looks for address translation exceptions in the nat 0 commands on a best-match basis.
3. If there are no matches on the Identity NAT commands, the appliance will try to find a match against the configured static NAT commands based on a best-match basis.
4. If there are no matches on the static NAT commands, the appliance will try to find a match against the configured static PAT (PAR) policies on a best match basis.
5. If no match is found within the PAR translation policies, the appliance then looks for a match in its policy nat and global commands with a corresponding ACL.
6. If there is not a match on a policy translation configuration, the appliance then looks for a match in its normal nat and global commands.
7. If a translation or translation policy doesn’t exist for the packet, the appliance will drop the packet if NAT control is enabled; if NAT control is not enabled, then the packet is not translated, but can flow through the appliance, assuming other appliance policies allow it.
No comments:
Post a Comment