Interface to interface NAT exemption and access

paulkbeyer · ‎07-20-2006

Hi,

I've got an ASA5520 7.0(4) and I'm trying to get two interfaces to talk to each other without NAT

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 10.99.36.4 255.255.252.0

!

interface GigabitEthernet0/0.1

vlan 10

nameif insidevoice

security-level 90

ip address 10.99.60.4 255.255.252.0

I don't have ant static entries defined for these interfaces and I feel this is what I'm missing but don't understand the context I need for them.

access-list nonatvoice extended permit ip object-group godalmingvnet object-group godalmingnet

object-group network godalmingnet

description network godalming

network-object 10.99.36.0 255.255.252.0

object-group network godalmingvnet

description voice network godalming

network-object 10.99.60.0 255.255.252.0

nat 0 (insidevoice) access-list nonatvoice

Thats all the config I believe is relevant for the interfaces - can anyone help?

grant.maynard · ‎07-20-2006

Always think of the basic rules of PIX NAT:

high security -> low (e.g. inside users surfing internet) you need nat&global.

low security -> high (e.g. external access to sa mail server) you need static (& ACL).

no_NAT makes it more complicated but you could do this in one of three ways:

access-list nonatvoice extended permit ip object-group godalmingnet object-group godalmingvnet

nat 0 (inside) access-list nonatvoice

or

static (inside,insidevoice) 10.99.60.0 10.99.60.0 netmask 255.255.252.0 0 100

or you could turn off NAT:

no nat-control