Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NAT question

will the following NAT config on an ASA conflict?

First part is for one to one NAT for inside address 172.16.1.1

static (inside,outside) 192.168.1.1 172.16.1.1 netmask 255.255.255.255

access-list outside_in permit tcp host 10.10.10.10 host 192.168.1.1

following is an exception for the one to one NAT. I have a host on the outside that needs to access the inside host 172.16.1.1, but they cannot use 192.168.1.1 as the destination. So here was what I proposed:

access-list nat-exception permit ip host 172.16.1.1 host 209.x.x.x

static (inside,outside) 172.32.1.1

access-list nat-exception

access-list outside_in permit tcp host 209.x.x.x host 172.32.1.1

basically I have a static NAT already in place, but have a new customer coming in that needs to access the same internal address via an address that is not the already defined static statement so I was wondering if the static with the access-list would be a workaround without conflicting with or affecting the one to one NAT? I'm guessing the one to one NAT trumps my idea. If anyone has any idea on how I can make this work please advise. Thanks

1 REPLY
Community Member

Re: NAT question

Hello,

I had the same type of issue. I had to use policy nat to fix it. The policy nat is triggered by access-list. Your second nat command is a policy nat. You should convert your one to one nat to a policy nat. You may still see a nat conflict pop on your CLI. But it will still work fine.

116
Views
0
Helpful
1
Replies
CreatePlease to create content