Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

nonat access-list versus static mapping

I am using code level 8.2.5

 

global (dmz) 1 interface
global (outside) 1 interface

nat (dmz) 0 access-list NONAT1

nat (inside) 0 access-list nonat
static (inside,dmz) 10.42.198.176 172.22.196.2 netmask 255.255.255.255

 

This is in reference to the bold nat command above. The nonat access list is a range of internal subnets in our network. If I use an external access list inbound to the outer ASA interface, can the outside addresses reach the inside address without any issues or do I still have to create a static reference for the inside address even though they are not natted going from the inside interface to the outside interface.

ex.

access-list External-in permit ip any host 10.0.0.1

access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

 

Can address 10.1.1.1 have unrestricted access to 10.0.0.1

 

Thanks
 

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Yes, outside host should have

Yes, outside host should have unlimited access to the internal host 10.0.0.1 based on the nonat and ACL applied to the outside interface. I am assuming that this is clear text traffic, not via VPN tunnel?

2 REPLIES
Super Bronze

Yes, outside host should have

Yes, outside host should have unlimited access to the internal host 10.0.0.1 based on the nonat and ACL applied to the outside interface. I am assuming that this is clear text traffic, not via VPN tunnel?

New Member

Yes it was for clear text.  I

Yes it was for clear text.  I did a quick test to verify it too...I was getting lazy and didn't really want to set a quick ASA to test. Thanks

36
Views
0
Helpful
2
Replies