cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
316
Views
3
Helpful
4
Replies

ASA 5520 version 8.0(4)

ifabrizio
Level 1
Level 1

Dear All,

I am thinking to configure a Policy Nat associated to a Static Identity Nat in order to exclude my internal networks from nat.

access-list POI_NET1_POLICY_NAT extended permit tcp 192.168.0.0 255.255.252.0 object-group mail2 eq www

static (inside,dmz) 192.168.0.0 access-list POI_NET1_POLICY_NAT

My question is:

The ACL used by the Static Identity Nat must be applied to the inside interface (access-group POI_NET1_POLICY_NAT interface inside in )?

Thanks and Regards,

Igor.

4 Replies 4

francisco_1
Level 7
Level 7

your access group should be

access-group POI_NET1_POLICY_NAT in interface inside.

NAT

nat (inside,dmz) 0 access-list POI_NET1_POLICY_NAT

or another way for NAT exception

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 -

this single statement should work for you. Just make sure you have ACL to allow the traffic between inside and dmz..

you can only apply only one ACL inbound on your inside interface so make sure POI_NET1_POLICY_NAT ACL is the ACL you are already using on the inside interface..

see this http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043541

Francisco

thanks for the rating IGOR.

Francisco

The access-list used in the nat exception should not be used to filter traffic because no-nat acl can not contain port numbers.

access-list INSIDE_IN extended permit tcp 192.168.0.0 255.255.252.0 object-group mail2 eq www

access-group INSIDE_IN in interface inside.

!NAT

access-list no_NAT extended permit ip 192.168.0.0 255.255.252.0 object-group mail2

nat (inside,dmz) 0 access-list no_NAT

And this is a valid configuration, but i see it weird.

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 -




If it was usefull to you, please rate. Thanks!

"And this is a valid configuration, but i see it weird"

weird?? I didn't know cisco's NAT configuration guides contains wired stuff!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: