You are configuring manual NAT on a Cisco Firepower device.
Which of the following best describes the order in which the NAT rules will be processed? (Select the best
answer.)
A.
on a firstmatch basis in the order that they appear in the configuration
B.
the most general rules first followed by the most specific rules
C.
static rules first followed by dynamic rules
D.
shortest prefix first followed by longer prefixes
Explanation:
The Firepower will process the Network Address Translation (NAT) rules on a firstmatch basis in the order that
they appear in the configuration if you are configuring manual NAT. There are two methods of implementing
NAT on a Cisco Firepower device: manual NAT and auto NAT. Of the two methods, auto NAT is the simplest to
configure because NAT rules are configured as components of a network object. Both source and destination
addresses are compared to the rules within the object. Manual NAT, on the other hand, enables you to specify
both the source address and the destination address of a mapping in a single rule. Therefore, you can
configure more granular mapping rules by using manual NAT.
Both manual NAT rules and auto NAT rules are stored in the same translation table. The table is divided into
three sections. Section 1 and Section 3 contain manual NAT rules, with Section 1 containing the most specific
manual NAT rules and Section 3 containing the most general NAT rules. Section 2 contains auto NAT rules.
When the Firepower matches traffic to the NAT translation table, manual NAT rules in Section 1 are processed
first and in the order in which they were configured. Manual NAT rules are added to Section 1 by default. If a
match is found, rules in Section 2 and Section 3 are ignored. If the traffic does not match any of the manual
NAT rules in Section 1, the auto NAT rules in Section 2 are processed.
Auto NAT rules are automatically ordered by the device. Regardless of the order in which you configured the
rules in the network object, auto NAT will always attempt to match static rules before dynamic rules. In addition,
auto NAT will always attempt to match the longest address prefix first, meaning that the rule that contains the
smallest quantity of real IP addresses will be processed before rules containing a larger quantity of real IP
addresses. Therefore, a static NAT mapping that matches 10.10.10.0/24 will be processed before a dynamic
NAT mapping that matches 10.10.10.10/32, even though the 10.10.10.10/32 address has a longer prefix. If the
traffic matches one of the auto NAT rules, rules in Section 3 are ignored. If the traffic does not match any of the
auto NAT rules, the device will next attempt to match the traffic to the Section 3 manual NAT rules.
Similar to Section 1, the manual NAT rules in Section 3 are processed in the order that they appear in the
configuration. However, you must specifically place manual NAT rules in this section because the device will
not automatically place manual NAT rules there. Cisco recommends that the most general manual NAT rules
be placed in this section, with the most specific of those general rules configured first.Cisco: Firepower Management Center Configuration Guide, Version 6.0.1: NAT Rule Order