cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
403
Views
3
Helpful
2
Replies

Static NAT using access-lists?

desmckee
Level 1
Level 1

Hi,

i have an ASA5520 and im having an issue with static nat configuration.

I have an inside host, say 1.1.1.1, that i want to be accessible from the outside as address 2.2.2.2.

This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of 1.1.1.1.

I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.

Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from 2.2.2.2 -> 1.1.1.1' and for everyone else, dont nat?

My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...

Thanks,

Des

2 Replies 2

bhatok
Level 1
Level 1

Des,

You need to create an access-list to be used with the nat 0 statement.

access-list inside_nonat extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255

- this tells the pix/asa to NOT perform NAT for traffic going from 1.1.1.1 to 2.2.2.2

then use NAT 0 statement:

nat (inside) 0 access-list inside_nonat

to permit outside users to see inside addresses without NAT, flip this logic.

access-list outside_nonat extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255

nat (outside) 0 access-list outside_nonat

you'll also have to permit this traffic through the ACL of the outside interface.

access-list inbound_acl extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255

- Brandon

koltl-gold
Level 1
Level 1

You need policy static NAT (search cisco.com).

static (inside,outside) 2.2.2.2 access-list acl2 0 0

access-list acl2 permit ip host 1.1.1.1 x.x.x.0 255.255.255.0

With "no nat-control", you don't have to worry about nat 0 and real 1.1.1.1 access.

This feature has some bugs so I'm not sure you'll succeed.

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: