Static NAT using access-lists?

Unanswered Question


i have an ASA5520 and im having an issue with static nat configuration.

I have an inside host, say, that i want to be accessible from the outside as address

This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of

I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.

Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from ->' and for everyone else, dont nat?

My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
bhatok Thu, 11/08/2007 - 10:42
User Badges:


You need to create an access-list to be used with the nat 0 statement.

access-list inside_nonat extended permit ip

- this tells the pix/asa to NOT perform NAT for traffic going from to

then use NAT 0 statement:

nat (inside) 0 access-list inside_nonat

to permit outside users to see inside addresses without NAT, flip this logic.

access-list outside_nonat extended permit ip

nat (outside) 0 access-list outside_nonat

you'll also have to permit this traffic through the ACL of the outside interface.

access-list inbound_acl extended permit ip

- Brandon

koltl-gold Fri, 11/09/2007 - 01:05
User Badges:

You need policy static NAT (search

static (inside,outside) access-list acl2 0 0

access-list acl2 permit ip host x.x.x.0

With "no nat-control", you don't have to worry about nat 0 and real access.

This feature has some bugs so I'm not sure you'll succeed.



This Discussion