×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Nat 0 Configuration issue with ACL deny policy on ASA ver(9.1)

Unanswered Question
Jul 16th, 2014
User Badges:

Hello Everyone,

I have recently installed Cisco ASA 5525 in our customer premises. Issue with  ACL deny policy in regular nat 0 exemption. In Old setup, They have PIX 525 with old version. In ASA 9.1 Cisco removed the nat 0 exemption keyword command

Please help me with nat 0 exemption in term of creation of ACL deny policy.

 

Old setup Pix access list with nat 0 exemption

 

access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 host 192.168.216.150  
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 host 192.168.160.41  
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 192.168.128.96 255.255.255.240  
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 192.168.171.0 255.255.255.0  
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 192.168.179.0 255.255.255.0  
access-list Private_inside_nat0_outbound remark Testing
access-list Private_inside_nat0_outbound extended deny ip 192.168.70.0 255.255.255.0 192.168.179.0 255.255.255.0  
access-list Private_inside_nat0_outbound extended permit ip any any  
access-list Private_inside_nat0_outbound remark NCP
access-list Private_inside_nat0_outbound extended deny ip host 192.168.100.40 host 192.168.128.108  
access-list Private_inside_nat0_outbound remark NCP
access-list Private_inside_nat0_outbound extended deny ip host 192.168.100.101 host 192.168.128.110
access-list private_outside_nat0_inbound extended permit ip 192.168.100.128 255.255.255.128 any
access-list Private_dmz_nat0_outbound_1 remark CPC
access-list Private_dmz_nat0_outbound_1 extended deny ip host 192.168.6.167 any  
access-list Private_dmz_nat0_outbound_1 extended permit ip any any
access-list NCP_nat0_inbound remark NCP_TO_ABC
access-list NCP_nat0_inbound extended deny ip host 192.168.128.108 host 192.168.100.40  
access-list NCP_nat0_inbound extended deny ip host 192.168.141.177 host 192.168.100.86


nat (inside) 0 access-list Private_inside_nat0_outbound
nat (outside) 0 access-list private_outside_nat0_inbound outside
nat (dmz) 0 access-list Private_dmz_nat0_outbound_1
nat (NCP) 0 access-list NPCI_nat0_inbound outside
 
static (inside,NCP) interface 192.168.100.40 netmask 255.255.255.255  
static (inside,NCP) 192.168.128.108 192.168.100.28 netmask 255.255.255.255  
static (inside,NCP) 192.168.128.110 192.168.100.101 netmask 255.255.255.255  
static (inside,NCP) 192.168.128.109 192.168.100.29 netmask 255.255.255.255  
static (inside,NCP) 192.168.128.102 192.168.100.33 netmask 255.255.255.255  
static (inside,NCP) 192.168.128.105 192.168.100.63 netmask 255.255.255.255  
static (dmz,NCP) 192.168.128.104 192.168.6.167 netmask 255.255.255.255  
static (inside,NCP) 192.168.141.177 192.168.100.86 netmask 255.255.255.255

 

- Sagar

 

 

 

 

 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
anatara2 Wed, 07/16/2014 - 02:51
User Badges:

Hi Sagar,

 

Concept of NAT-Control is not present in post 8.2 versions.

 

Access control can be applied as ACL's and not through natting.

 

Regards,

Anand

Actions

This Discussion