Policy static NAT on ASA

Unanswered Question


I have ASA box here running 7.2.3 code. Below is the goal.

Simple configuration. Inside and outside. When inside subnets go on internet use the PAT(global and nat commands). However if the inside hosts go to a specific address(my 3rd party MSP), the source addresses should be NATed.

Below is my config.

access-list msp-nat permit ip host

static(inside,outside) access-list msp-nat netmask

However the issue is netmask is a valid option if you hit ?, however when you type that up, it tells me its not a valid option.

my-fw(config)# static (inside,outside) access-list msp-nat netmask

invalid option netmask

Usage: [no] static [(real_ifc, mapped_ifc)]


{<real_ip> [netmask <mask>]} | {access-list <acl_name>}



I am sure I am not the 1st guy who is running on to this requirement. Almost all of 3rd party VPN connections require some kind of NAT to avoid overlapping IPs.

Any help is greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Tue, 04/15/2008 - 12:25

From command ref:

"If you use the access-list keyword instead

of the real_ip, then the subnet mask used in the access list is also used for the


So you should be able to do...

access-list msp-nat permit ip host

static (inside,outside) access-list msp-nat

sundar.palaniappan Tue, 04/15/2008 - 12:42

The source subnet mask used in the access list is also used for the mapped addresses.

I don't know why the CLI is even showing the netmask as an option since it's not part of the static command structure.

For policy static NAT, enter the following command:

hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface}

access-list acl_name [dns] [norandomseq] [udp


Create the access list using the access-list command (see the "Adding an Extended Access List" section). This access list should include only permit ACEs. The source subnet mask used in the access list is also used for the mapped addresses. You can also specify the real and destination ports in the access list using the eq operator. Policy NAT does not consider the inactive or time-range keywords; all ACEs are considered to be active for policy NAT configuration. See the "Policy NAT" section for more information.



acomiskey Tue, 04/15/2008 - 12:44

It takes the mask from the real address in the acl.

So it's almost like..

static (inside,outside) netmask

You're just moving the real ip and mask up to the acl.

It doesn't seem to be working though. I don't see ACL hit counts anywhere. Here is full sanitized config.

access-list msp-vpn extended permit ip host

access-list msp-nat extended permit ip host


global (outside) 1 interface

nat (inside) 1

static (inside,outside) access-list msp-nat


crypto map vpn-map 10 match address msp-vpn

crypto map vpn-map 10 set peer x.x.x.x

crypto map vpn-map 10 set transform-set ESP-3DES-MD5


crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400


tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

MYFW(config)# show xlate

36 in use, 250 most used

Global Local

PAT Global x.x.x.x(1798) Local

<< more output trimmed here >>

So with this config, I don't even see the VPN triggering since NAT doesn't trigger. Show access-list doesn't show hit count increment on neither of the ACLs mentioned above.

sundar.palaniappan Tue, 04/15/2008 - 13:08

Configuration looks good. Did you do a 'clear xlate' after the configuration change? If still doesn't work try the policy nat instead of the policy static NAT.

Jon Marshall Tue, 04/15/2008 - 13:10


Could you try this just to make sure it's not something else

1) remove the static entry

2) add the following config

nat (inside) 2 access-list msp-nat

global (outside) 2


That doesn't work for me since that would work only for traffic from inside to outside. I need static since MSP needs to reach each individual IPs for monitoring purposes. We need to reach MSP server to sent traps/syslog.

To prove my logic here, I ran capture command with an ACL and ping destination IP.

access-list debug-nat extended permit ip any host


capture debug-inside type raw-data access-list debug-nat buffer 1024000 interface inside

capture debug-outside type raw-data access-list debug-nat buffer 1024000 interface outside


MYFW(config)# sh capture debug-inside

3 packets captured

1: 13:08:28.210468 802.1Q vlan#1 P0 > icmp: echo request

2: 13:08:33.365383 802.1Q vlan#1 P0 > icmp: echo request

3: 13:08:38.864976 802.1Q vlan#1 P0 > icmp: echo request

3 packets shown

MYFW(config)# sh capture debug-outside

4 packets captured

1: 13:08:28.210651 802.1Q vlan#2 P0 > icmp: echo request

2: 13:08:33.365535 802.1Q vlan#2 P0 > icmp: echo request

3: 13:08:38.865143 802.1Q vlan#2 P0 > icmp: echo request

4: 13:08:44.364834 802.1Q vlan#2 P0 > icmp: echo request


Thanks a lot to whoever responded. This thing might have already been working all along but because of my VPN issues, I was testing it with packet capture. I was just comparing packet capture on inside and outside interface and it still shows original source address. I guess it has something to do with order or operation.

If you want to see where and how the NAT happens, run packet-tracer on the ASA and you will see it clearly like this.

Phase: 7

Type: NAT


Result: ALLOW


static (inside,outside) access-list msp-nat


match ip inside outside host

static translation to

translate_hits = 13, untranslate_hits = 0

Additional Information:

Static translate to using netmask


This Discussion