Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5520 version 8.0(4)

Dear All,

I am thinking to configure a Policy Nat associated to a Static Identity Nat in order to exclude my internal networks from nat.

access-list POI_NET1_POLICY_NAT extended permit tcp 192.168.0.0 255.255.252.0 object-group mail2 eq www

static (inside,dmz) 192.168.0.0 access-list POI_NET1_POLICY_NAT

My question is:

The ACL used by the Static Identity Nat must be applied to the inside interface (access-group POI_NET1_POLICY_NAT interface inside in )?

Thanks and Regards,

Igor.

  • Firewalling
4 REPLIES

Re: ASA 5520 version 8.0(4)

your access group should be

access-group POI_NET1_POLICY_NAT in interface inside.

NAT

nat (inside,dmz) 0 access-list POI_NET1_POLICY_NAT

or another way for NAT exception

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 -

this single statement should work for you. Just make sure you have ACL to allow the traffic between inside and dmz..

you can only apply only one ACL inbound on your inside interface so make sure POI_NET1_POLICY_NAT ACL is the ACL you are already using on the inside interface..

see this http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043541

Francisco

Re: ASA 5520 version 8.0(4)

thanks for the rating IGOR.

Francisco

New Member

Re: ASA 5520 version 8.0(4)

The access-list used in the nat exception should not be used to filter traffic because no-nat acl can not contain port numbers.

access-list INSIDE_IN extended permit tcp 192.168.0.0 255.255.252.0 object-group mail2 eq www

access-group INSIDE_IN in interface inside.

!NAT

access-list no_NAT extended permit ip 192.168.0.0 255.255.252.0 object-group mail2

nat (inside,dmz) 0 access-list no_NAT

And this is a valid configuration, but i see it weird.

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 -




If it was usefull to you, please rate. Thanks!

Re: ASA 5520 version 8.0(4)

"And this is a valid configuration, but i see it weird"

weird?? I didn't know cisco's NAT configuration guides contains wired stuff!!

131
Views
3
Helpful
4
Replies
This widget could not be displayed.