ASA 5520 version 8.0(4)

Unanswered Question
May 14th, 2009
User Badges:

Dear All,


I am thinking to configure a Policy Nat associated to a Static Identity Nat in order to exclude my internal networks from nat.


access-list POI_NET1_POLICY_NAT extended permit tcp 192.168.0.0 255.255.252.0 object-group mail2 eq www


static (inside,dmz) 192.168.0.0 access-list POI_NET1_POLICY_NAT


My question is:


The ACL used by the Static Identity Nat must be applied to the inside interface (access-group POI_NET1_POLICY_NAT interface inside in )?


Thanks and Regards,

Igor.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
francisco_1 Thu, 05/14/2009 - 02:41
User Badges:
  • Gold, 750 points or more

your access group should be


access-group POI_NET1_POLICY_NAT in interface inside.


NAT

nat (inside,dmz) 0 access-list POI_NET1_POLICY_NAT


or another way for NAT exception

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 -

this single statement should work for you. Just make sure you have ACL to allow the traffic between inside and dmz..


you can only apply only one ACL inbound on your inside interface so make sure POI_NET1_POLICY_NAT ACL is the ACL you are already using on the inside interface..




see this http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043541



Francisco

francisco_1 Thu, 05/21/2009 - 08:17
User Badges:
  • Gold, 750 points or more

thanks for the rating IGOR.




Francisco

BrinksArgentina Thu, 05/21/2009 - 14:37
User Badges:

The access-list used in the nat exception should not be used to filter traffic because no-nat acl can not contain port numbers.


</p><p>access-list INSIDE_IN extended permit tcp 192.168.0.0 255.255.252.0 object-group mail2 eq www </p><p>access-group INSIDE_IN in interface inside. </p><p></p><p>!NAT </p><p>access-list no_NAT extended permit ip 192.168.0.0 255.255.252.0 object-group mail2 </p><p>nat (inside,dmz) 0 access-list no_NAT </p><p>


And this is a valid configuration, but i see it weird.

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 - </p><p>




If it was usefull to you, please rate. Thanks!

francisco_1 Fri, 05/22/2009 - 12:00
User Badges:
  • Gold, 750 points or more

"And this is a valid configuration, but i see it weird"


weird?? I didn't know cisco's NAT configuration guides contains wired stuff!!

Actions

This Discussion