NAT question

Unanswered Question
Feb 25th, 2009

will the following NAT config on an ASA conflict?

First part is for one to one NAT for inside address

static (inside,outside) netmask

access-list outside_in permit tcp host host

following is an exception for the one to one NAT. I have a host on the outside that needs to access the inside host, but they cannot use as the destination. So here was what I proposed:

access-list nat-exception permit ip host host 209.x.x.x

static (inside,outside)

access-list nat-exception

access-list outside_in permit tcp host 209.x.x.x host

basically I have a static NAT already in place, but have a new customer coming in that needs to access the same internal address via an address that is not the already defined static statement so I was wondering if the static with the access-list would be a workaround without conflicting with or affecting the one to one NAT? I'm guessing the one to one NAT trumps my idea. If anyone has any idea on how I can make this work please advise. Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
allen.malanda_2 Wed, 02/25/2009 - 07:49


I had the same type of issue. I had to use policy nat to fix it. The policy nat is triggered by access-list. Your second nat command is a policy nat. You should convert your one to one nat to a policy nat. You may still see a nat conflict pop on your CLI. But it will still work fine.


This Discussion