11-20-2007 04:32 AM - edited 03-11-2019 04:33 AM
Hi,
I have an ASA running ver 8.0.
I want to create a static NAT for one host residing on the LAN hanging off the inside interface.
All other traffic going through the firewall should not be natted (or natted to the same IP). Would this configuration work ok.
nat-control
static (inside,outside) 10.131.2.19 10.1.19.9
nat (inside) 0 access-list nonat
nat (outside) 0 access-list nonat
access-list nonat permit ip any any
Any advice on how to do this a better way would also be appreciated.
Cheers
Lee
11-20-2007 07:30 AM
Hi Lee
nat-control
static (inside,outside) 10.131.2.19 10.1.19.9
nat (inside) 0 0.0.0.0 0.0.0.0
That should do the trick. The static takes preference over the NAT statement. The NAT statement just says do not NAT any traffic.
HTH
Jon
11-20-2007 01:02 PM
The "nat (outside) 0 access-list nonat" is redundant/unnecessary. This is an NAT exemption statement, so it works bidirectionally. A NAT 0 works unidirectionally and specifies a single IP going in in or out.
11-21-2007 01:34 AM
Hi Lee,
If you dont want to nat all traffic , so dont use the nat-control command, because this command will pass only natted addresses, and if any address is not natted , it will by dropped.
To perform natting on a specific internal ip address, you can use:
nat(inside) 2 10.1.19.9 (INTERNAL IP)
global(ouside) 2 10.131.2.19 (EXTERNAL IP)
this will nat the internal address 10.2.19.9 to an external address 10.131.2.19.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: