cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1618
Views
0
Helpful
7
Replies

Static NAT with ACL

Rupesh Kashyap
Level 1
Level 1

Hi,

I have internal network 192.168.1.x. I have ASA haivng public IP range 50.50.50.0/24.

My requirement is, whenever internal host 192.168.1.1 wants to talk to external server 200.200.200.0/24, source address should translate to 50.50.50.1.

I have done two things and is working fine as per my requirement.

ASA(config)# access-list POLICYNAT-B extended permit ip host 192.168.1.1  200.200.200.0 255.255.255.0
ASA(config)# static(inside,outside) 50.50.50.1 access-list POLICYNAT-A

Now I have three questions-

1. Is this NAT will two sided, I mean if 200.200.200.0/24 subnet wants to reach 50.50.50.1, then what happened? Any source or destional address translation will occur in this case?

2. If traffic is coming from outside 200.200.200.0 network, then internal switch will send the traiffc to ASA or destination IP as 200.200.200.0

2. Is this policy only work if traffic is initiated from inside network?

1 Accepted Solution

Accepted Solutions

Thanks a lot for your comments rupesh.

if you find the post is helpful,just give a ratting to it.This will be helpful to others while they are going through this post,

Regards

Karuppu

View solution in original post

7 Replies 7

HI,

1. Is this NAT will two sided, I mean if 200.200.200.0/24 subnet wants  to reach 50.50.50.1, then what happened? Any source or destional address  translation will occur in this case?

NAT will work on both sides.If the traffic is coming from your inside interface 192.168.x.x,then it will convert into based on your NAT it will convert into that specific public IP address and vice versa

2. If traffic is coming from outside 200.200.200.0 network, then  internal switch will send the traiffc to ASA or destination IP as  200.200.200.0

That is depends upon your routing.You have to configure default route towards internet.so that internet traffic will reach firewall then the traffic will moves towards internet

3.Is this policy only work if traffic is initiated from inside network?.

No.Since you have applied this ACL into NAT it will work both side.If you have applied this ACL in inside interface then it will work on only inside.

Regards

Karuppu

Thanks man. As you told, it will work in both side. But ACL is planned from 192.168.1.1 to 200.200.200.0/24.

How ACL will match if traffic is coming from Outside to inside? This is the only reason I am confused. Please help.

ASA(config)# access-list POLICYNAT-B extended permit ip host 192.168.1.1  200.200.200.0 255.255.255.0
ASA(config)# static(inside,outside) 50.50.50.1 access-list POLICYNAT-A

Hi,

For policy static NAT, both translated and  remote hosts can originate traffic. For traffic originated on the  translated network, the NAT access list specifies

the real addresses and  the destination addresses, but for traffic  originated on the remote network, the access list identifies the real  addresses and the

source addresses of remote  hosts who are allowed to connect to the host using this translation.

for more information have a look into the below URL

http://cisco.biz/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1079137

Regards

Karuppu

you mean, if traffic is initiated from remote to internal client network, nat will automatically use Reverse ACL?

thanks man for your fast response. You are a real champ.

Thanks a lot for your comments rupesh.

if you find the post is helpful,just give a ratting to it.This will be helpful to others while they are going through this post,

Regards

Karuppu

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: