The traffic match criteria used in the selection of specific NAT policies in static 1:1 NAT (the deterministic part of the configuration) must not overlap with traffic match criteria that is used in the selection of a specific NAT policy used in filters or in destination-prefix statement (these are used for traffic diversion to NAT). Otherwise, traffic is dropped in ISA.
A specific NAT policy in this context refers to a non-default NAT policy, or a NAT policy that is directly referenced in a filter, in a destination-prefix command or in a deterministic prefix command.
The following example is used to clarify this point:
Traffic is diverted to NAT using specific nat-policy pol-2:
service vprn 10
nat
inside
destination-prefix 192.168.0.0/16 nat-policy pol-2
deterministic
prefix 10.10.10.0/24 subscriber-type classic-lsn-sub nat-policy pol-1
The deterministic (source) prefix 10.10.10.0/30 is configured to be mapped to nat-policy pol-1 specifically which points to protocol agnostic 1:1 nat pool.
service vprn 10
nat
inside
destination-prefix 192.168.0.0/16 nat-policy pol-2
deterministic
prefix 10.10.10.0/30 subscriber-type classic-lsn-sub nat-policy pol-1
Packet received in the ISA has srcIP 10.10.10.1 and destIP 192.168.10.10.
If no NAT mapping for this traffic exists in the ISA, a NAT policy (and with this, the NAT pool) must be determined to create the mapping. Traffic is diverted to NAT using nat-policy pol-2, while the deterministic mapping suggests that nat-policy pol-1 should be used (this is a different pool from the one referenced in nat-policy pol-2). Because of the specific NAT policy conflict, traffic is dropped in the ISA.
To successfully pass traffic between two subnets through NAT while simultaneously using static 1:1 NAT and regular LSN44, a default (non-specific) NAT policy can be used for regular LSN44.
For example:
service vprn 10
nat
inside
destination-prefix 192.168.0.0/16
nat-policy pol-2
deterministic
prefix 10.10.10.0/30 subscriber-type classic-lsn-sub nat-policy pol-1
In this case, the four hosts from the prefix 10.10.10.0/30 are mapped in 1:1 fashion to 4 IP addresses from the pool referenced in the specific nat-policy pol-1, while all other hosts from the 10.10.10.0/24 network are mapped to the NAPT pool referenced by the default nat-policy pol-2. In way, a NAT policy conflict is avoided.
In summary, a specific NAT policy (in filter, destination-prefix command or in deterministic prefix command) always takes precedence over a default NAT policy. However, traffic that matches classification criteria (in filter, destination-prefix command or a deterministic prefix command) that leads to multiple specific nat-policies, is dropped.