Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Nat 0 Configuration issue with ACL deny policy on ASA ver(9.1)

Hello Everyone,

I have recently installed Cisco ASA 5525 in our customer premises. Issue with  ACL deny policy in regular nat 0 exemption. In Old setup, They have PIX 525 with old version. In ASA 9.1 Cisco removed the nat 0 exemption keyword command

Please help me with nat 0 exemption in term of creation of ACL deny policy.

 

Old setup Pix access list with nat 0 exemption

 

access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 host 192.168.216.150  
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 host 192.168.160.41  
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 192.168.128.96 255.255.255.240  
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 192.168.171.0 255.255.255.0  
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 192.168.179.0 255.255.255.0  
access-list Private_inside_nat0_outbound remark Testing
access-list Private_inside_nat0_outbound extended deny ip 192.168.70.0 255.255.255.0 192.168.179.0 255.255.255.0  
access-list Private_inside_nat0_outbound extended permit ip any any  
access-list Private_inside_nat0_outbound remark NCP
access-list Private_inside_nat0_outbound extended deny ip host 192.168.100.40 host 192.168.128.108  
access-list Private_inside_nat0_outbound remark NCP
access-list Private_inside_nat0_outbound extended deny ip host 192.168.100.101 host 192.168.128.110
access-list private_outside_nat0_inbound extended permit ip 192.168.100.128 255.255.255.128 any
access-list Private_dmz_nat0_outbound_1 remark CPC
access-list Private_dmz_nat0_outbound_1 extended deny ip host 192.168.6.167 any  
access-list Private_dmz_nat0_outbound_1 extended permit ip any any
access-list NCP_nat0_inbound remark NCP_TO_ABC
access-list NCP_nat0_inbound extended deny ip host 192.168.128.108 host 192.168.100.40  
access-list NCP_nat0_inbound extended deny ip host 192.168.141.177 host 192.168.100.86


nat (inside) 0 access-list Private_inside_nat0_outbound
nat (outside) 0 access-list private_outside_nat0_inbound outside
nat (dmz) 0 access-list Private_dmz_nat0_outbound_1
nat (NCP) 0 access-list NPCI_nat0_inbound outside
 
static (inside,NCP) interface 192.168.100.40 netmask 255.255.255.255  
static (inside,NCP) 192.168.128.108 192.168.100.28 netmask 255.255.255.255  
static (inside,NCP) 192.168.128.110 192.168.100.101 netmask 255.255.255.255  
static (inside,NCP) 192.168.128.109 192.168.100.29 netmask 255.255.255.255  
static (inside,NCP) 192.168.128.102 192.168.100.33 netmask 255.255.255.255  
static (inside,NCP) 192.168.128.105 192.168.100.63 netmask 255.255.255.255  
static (dmz,NCP) 192.168.128.104 192.168.6.167 netmask 255.255.255.255  
static (inside,NCP) 192.168.141.177 192.168.100.86 netmask 255.255.255.255

 

- Sagar

 

 

 

 

 

 

1 REPLY
Community Member

Hi Sagar, Concept of NAT

Hi Sagar,

 

Concept of NAT-Control is not present in post 8.2 versions.

 

Access control can be applied as ACL's and not through natting.

 

Regards,

Anand

165
Views
0
Helpful
1
Replies
CreatePlease to create content