Static NAT using access-lists?

Unanswered Question

Hi,

i have an ASA5520 and im having an issue with static nat configuration.

I have an inside host, say 1.1.1.1, that i want to be accessible from the outside as address 2.2.2.2.

This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of 1.1.1.1.

I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.

Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from 2.2.2.2 -> 1.1.1.1' and for everyone else, dont nat?

My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...

Thanks,

Des

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
bhatok Thu, 11/08/2007 - 10:42

Des,

You need to create an access-list to be used with the nat 0 statement.

access-list inside_nonat extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255

- this tells the pix/asa to NOT perform NAT for traffic going from 1.1.1.1 to 2.2.2.2

then use NAT 0 statement:

nat (inside) 0 access-list inside_nonat

to permit outside users to see inside addresses without NAT, flip this logic.

access-list outside_nonat extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255

nat (outside) 0 access-list outside_nonat

you'll also have to permit this traffic through the ACL of the outside interface.

access-list inbound_acl extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255

- Brandon

koltl-gold Fri, 11/09/2007 - 01:05

You need policy static NAT (search cisco.com).

static (inside,outside) 2.2.2.2 access-list acl2 0 0

access-list acl2 permit ip host 1.1.1.1 x.x.x.0 255.255.255.0

With "no nat-control", you don't have to worry about nat 0 and real 1.1.1.1 access.

This feature has some bugs so I'm not sure you'll succeed.

Peter

Actions

This Discussion