05-14-2009 02:18 AM - edited 03-11-2019 08:32 AM
Dear All,
I am thinking to configure a Policy Nat associated to a Static Identity Nat in order to exclude my internal networks from nat.
access-list POI_NET1_POLICY_NAT extended permit tcp 192.168.0.0 255.255.252.0 object-group mail2 eq www
static (inside,dmz) 192.168.0.0 access-list POI_NET1_POLICY_NAT
My question is:
The ACL used by the Static Identity Nat must be applied to the inside interface (access-group POI_NET1_POLICY_NAT interface inside in )?
Thanks and Regards,
Igor.
05-14-2009 02:41 AM
your access group should be
access-group POI_NET1_POLICY_NAT in interface inside.
NAT
nat (inside,dmz) 0 access-list POI_NET1_POLICY_NAT
or another way for NAT exception
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 -
this single statement should work for you. Just make sure you have ACL to allow the traffic between inside and dmz..
you can only apply only one ACL inbound on your inside interface so make sure POI_NET1_POLICY_NAT ACL is the ACL you are already using on the inside interface..
see this http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043541
Francisco
05-21-2009 08:17 AM
thanks for the rating IGOR.
Francisco
05-21-2009 02:37 PM
The access-list used in the nat exception should not be used to filter traffic because no-nat acl can not contain port numbers.
access-list INSIDE_IN extended permit tcp 192.168.0.0 255.255.252.0 object-group mail2 eq www
access-group INSIDE_IN in interface inside.
!NAT
access-list no_NAT extended permit ip 192.168.0.0 255.255.252.0 object-group mail2
nat (inside,dmz) 0 access-list no_NAT
And this is a valid configuration, but i see it weird.
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 -
If it was usefull to you, please rate. Thanks!
05-22-2009 12:00 PM
"And this is a valid configuration, but i see it weird"
weird?? I didn't know cisco's NAT configuration guides contains wired stuff!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: