You are configuring auto NAT on a Cisco Firepower device. The network object contains rules of both static
and dynamic types from internal subnets. You have configured the rules in the following order:
1. Dynamic NAT: 172.16.1.0/28
2. Static NAT: 192.168.51.8/29
3. Static NAT: 10.10.10.0/24
4. Dynamic NAT: 192.168.32.0/24
5. Static NAT: 10.10.11.1/32
The Firepower receives internal traffic from the 192.168.51.8/29 subnet.
Which of the rules in this scenario will be processed? (Select 2 choices.)
A.
1
B.
2
C.
3
D.
4
E.
5
Explanation:
Of the auto Network Address Translation (NAT) rules configured in this scenario, only the static NAT rule for
the 10.10.11.1/32 network and the static NAT rule for the 192.168.51.8/29 network will be processed. Auto NAT
rules are automatically ordered by the device. Regardless of the order in which you configured the rules in the
network object, auto NAT will always attempt to match static rules before dynamic rules. In addition, auto NAT
will always attempt to match the longest address prefix first, meaning that the rule that contains the smallest
quantity of real IP addresses will be processed before rules containing a larger quantity of real IP addresses.
Therefore, a static NAT mapping that matches 10.10.10. 0/24 will be processed before a dynamic NAT
mapping that matches 10.10.10.10/32, even though the 10.10.10.10/32 address has a longer prefix.
In this scenario, auto NAT will first attempt to match the traffic to the static NAT rule with the 10.10.11.1/32
address. This is because that rule is the static rule with the longest prefix. Next, auto NAT will attempt to match
the traffic to the static rule with the second longest prefix, which is 192.168.51.8/29. Because the traffic
matches this rule, the device will not process any of the other auto NAT rules.
If the traffic in this scenario did not match the static 192.168.51.8/29 rule, the device would have continued
processing the auto NAT rules in the following order:
– Static NAT: 10.10.10.0/24
– Dynamic NAT: 172.16.1.0/28
– Dynamic NAT: 192.168.32.0/24
There are two methods of implementing NAT on a Cisco Firepower device: manual NAT and auto NAT. Of the
two methods, auto NAT is the simplest to configure because NAT rules are configured as components of a
network object. Both source and destination addresses are compared to the rules within the object. Manual
NAT, on the other hand, enables you to specify both the source address and the destination address of a
mapping in a single rule. Therefore, you can configure more granular mapping rules by using manual NAT.
Both manual NAT rules and auto NAT rules are stored in the same translation table. The table is divided into
three sections. Section 1 and Section 3 contain manual NAT rules, with Section 1 containing the most specific
manual NAT rules and Section 3 containing the most general NAT rules. Section 2 contains auto NAT rules.
When the Firepower matches traffic to the NAT translation table, manual NAT rules in Section 1 are processed
first and in the order in which they were configured. Manual NAT rules are added to Section 1 by default. If a
match is found, rules in Section 2 and Section 3 are ignored. If the traffic does not match any of the manual
NAT rules in Section 1, the auto NAT rules in Section 2 are processed.
If the traffic matches one of the auto NAT rules, rules in Section 3 are ignored. If the traffic does not match any
of the auto NAT rules, the device will next attempt to match the traffic to the Section 3 manual NAT rules.
Similar to Section 1, the manual NAT rules in Section 3 are processed in the order that they appear in the
configuration. However, you must specifically place manual NAT rules in this section because the device willnot automatically place manual NAT rules there. Cisco recommends that the most general manual NAT rules
be placed in this section, with the most specific of those general rules configured first.Cisco: Firepower Management Center Configuration Guide, Version 6.0.1: NAT Rule Order