Static NAT using access-lists?

Unanswered Question

Hi,

i have an ASA5520 and im having an issue with static nat configuration.


I have an inside host, say 1.1.1.1, that i want to be accessible from the outside as address 2.2.2.2.


This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of 1.1.1.1.


I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.


Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from 2.2.2.2 -> 1.1.1.1' and for everyone else, dont nat?


My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...


Thanks,

Des


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
bhatok Thu, 11/08/2007 - 10:42
User Badges:

Des,


You need to create an access-list to be used with the nat 0 statement.


access-list inside_nonat extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255

- this tells the pix/asa to NOT perform NAT for traffic going from 1.1.1.1 to 2.2.2.2


then use NAT 0 statement:

nat (inside) 0 access-list inside_nonat


to permit outside users to see inside addresses without NAT, flip this logic.



access-list outside_nonat extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255


nat (outside) 0 access-list outside_nonat


you'll also have to permit this traffic through the ACL of the outside interface.


access-list inbound_acl extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255


- Brandon


koltl-gold Fri, 11/09/2007 - 01:05
User Badges:

You need policy static NAT (search cisco.com).


static (inside,outside) 2.2.2.2 access-list acl2 0 0

access-list acl2 permit ip host 1.1.1.1 x.x.x.0 255.255.255.0


With "no nat-control", you don't have to worry about nat 0 and real 1.1.1.1 access.


This feature has some bugs so I'm not sure you'll succeed.


Peter

Actions

This Discussion