global NAT - now need some dynamic policy NAT

Unanswered Question
May 8th, 2008
User Badges:


We've got a global NAT rule

static (inside,outside) interior- interior-192.168 netmask

But now we need some dynamic policy NAT:

access-list inside_nat_outbound line 1 extended permit ip host

global (outside) 1 netmask

The problem is, when we connect to the external network where we need to be natted ( we always fall on the global NAT rule. Which is needed for other purpose.

Is there a way to use the global NAT rule but also use a dynamic policy NAT but with same networks?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Thu, 05/08/2008 - 08:58
User Badges:
  • Purple, 4500 points or more

I would like to verify, your internal users need to access resources on the 'outside'. There are two IP ranges on the outside, 193.14.22.x and 217.77.27.x. User need to access both, but right now they can only access 193.14.22.x resources because the 217.77.27.x NAT never get used. Is that correct? Are either of these internet connections or are they partner/B2B type connections?

tj.mitchell Thu, 05/08/2008 - 09:35
User Badges:
  • Bronze, 100 points or more

where is the NAT (inside) 1 command to match to the ACL that you created?

AndyWaldoz Fri, 05/09/2008 - 01:34
User Badges:

nat (inside) 1 access-list inside_nat_outbound tcp 0 0 udp 0

Maybe clarify some more.

When the user need to access (partner connection) they need te use a NAT pool (

But the users also need to access the outside interface un-NATTED. The problem is that they always access the outside un-NATTED and the dynamic nat rule is not used when they access

Collin Clark Fri, 05/09/2008 - 05:19
User Badges:
  • Purple, 4500 points or more

As far as I know you can not set NAT by destination address. I would create another interface for the partner connection.

tj.mitchell Fri, 05/09/2008 - 06:14
User Badges:
  • Bronze, 100 points or more

Ok, I see the problem. It's the order of commands for how NAT is setup..

Order is this:

NAT Exemption

Static NAT/Static PAT

Policy NAT

Regular dynamic NAT

For all the regular traffic your at the static NAT, by the policy your configuring is at Policy NAT.

you can either configure static policy NAT or change the global static nat that you have to a dynamic NAT policy to move it farther down the food chain..

Let me know if this resolves what you are looking to do..


AndyWaldoz Sun, 05/11/2008 - 04:40
User Badges:

thx for the answers but I think I found the solution.

I was working on an ASA that had the config of an old PIX.

From the things I've read (I'am not a PIX/ASA expert) in the old version of PIX you need a NAT rule for all the traffic that to go through the PIX

Since version 7.0 this is not needed with the 'no nat-control' command.

So traffic will go through the ASA un-natted. I can suspend all the most of the old static NAT rules and after that add the dynamic rule.

gonna try that next week...


This Discussion