Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT Rules

Hi all,

At present I'm installing a ASA firewall between my 2811 router and the network.

The router at the moment has an internal ip address of and has NAT rules set up. The address is that of our exchange server. My question is this. If I change the internal interface of the router to and the external interface of the ASA to and the internal interface of the ASA has the address, what do I do about the NAT rules?

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

ip nat inside source static tcp 25 *.*.*.*25 route-map Deny-VPN extendable

ip nat inside source static tcp 80 *.*.*.* 80 route-map Deny-VPN extendable

ip nat inside source static tcp 143 *.*.*.* 143 route-map Deny-VPN extendable


ip access-list extended Deny-VPN

permit ip

access-list 105 remark SDM_ACL Category=2

access-list 105 remark IPSec Rule

access-list 105 deny   ip

access-list 105 deny   ip

access-list 105 permit ip any


route-map Deny-VPN deny 10

match ip address Deny-VPN


route-map SDM_RMAP_1 permit 1

match ip address 105


I've attached the complete config below



Cisco Employee

Re: NAT Rules

You are just changing the interface of the router from to, as far as the NAT statement is concern, you do not need to change anything. All you need to do on the router is to configure route for subnet to point towards the ASA external ip address (

Assuming you are having the following topology:

Internal network ( -- (Inside) ASA (Outside) -- (Inside) router (Outside) -- Internet

On the ASA, you would need to configure NAT exemption, or a static statement to itself.


static (inside,outside) netmask

OR/ alternatively

access-list nonat permit ip any

nat (inside) 0 access-list nonat

Hope that helps.