Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NAT question

will the following NAT config on an ASA conflict?

First part is for one to one NAT for inside address

static (inside,outside) netmask

access-list outside_in permit tcp host host

following is an exception for the one to one NAT. I have a host on the outside that needs to access the inside host, but they cannot use as the destination. So here was what I proposed:

access-list nat-exception permit ip host host 209.x.x.x

static (inside,outside)

access-list nat-exception

access-list outside_in permit tcp host 209.x.x.x host

basically I have a static NAT already in place, but have a new customer coming in that needs to access the same internal address via an address that is not the already defined static statement so I was wondering if the static with the access-list would be a workaround without conflicting with or affecting the one to one NAT? I'm guessing the one to one NAT trumps my idea. If anyone has any idea on how I can make this work please advise. Thanks

Community Member

Re: NAT question


I had the same type of issue. I had to use policy nat to fix it. The policy nat is triggered by access-list. Your second nat command is a policy nat. You should convert your one to one nat to a policy nat. You may still see a nat conflict pop on your CLI. But it will still work fine.

CreatePlease to create content