Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5520 version 8.0(4)

Dear All,

I am thinking to configure a Policy Nat associated to a Static Identity Nat in order to exclude my internal networks from nat.

access-list POI_NET1_POLICY_NAT extended permit tcp object-group mail2 eq www

static (inside,dmz) access-list POI_NET1_POLICY_NAT

My question is:

The ACL used by the Static Identity Nat must be applied to the inside interface (access-group POI_NET1_POLICY_NAT interface inside in )?

Thanks and Regards,


  • Firewalling

Re: ASA 5520 version 8.0(4)

your access group should be

access-group POI_NET1_POLICY_NAT in interface inside.


nat (inside,dmz) 0 access-list POI_NET1_POLICY_NAT

or another way for NAT exception

static (inside,dmz) netmask -

this single statement should work for you. Just make sure you have ACL to allow the traffic between inside and dmz..

you can only apply only one ACL inbound on your inside interface so make sure POI_NET1_POLICY_NAT ACL is the ACL you are already using on the inside interface..

see this


Re: ASA 5520 version 8.0(4)

thanks for the rating IGOR.


New Member

Re: ASA 5520 version 8.0(4)

The access-list used in the nat exception should not be used to filter traffic because no-nat acl can not contain port numbers.

access-list INSIDE_IN extended permit tcp object-group mail2 eq www

access-group INSIDE_IN in interface inside.


access-list no_NAT extended permit ip object-group mail2

nat (inside,dmz) 0 access-list no_NAT

And this is a valid configuration, but i see it weird.

static (inside,dmz) netmask -

If it was usefull to you, please rate. Thanks!

Re: ASA 5520 version 8.0(4)

"And this is a valid configuration, but i see it weird"

weird?? I didn't know cisco's NAT configuration guides contains wired stuff!!

This widget could not be displayed.