Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Policy NAT / Conditional NAT

Hi Guys,

            I need your help in getting a resolution to the Natting problem mentioned below.

            I have a 10.x.x.x network in place(site A). Another partner who also houses a 10.x.x.x subnet(site B) needs to access a particular server within Site A.

1. Site B has a group of 6 servers which need to communicate with the server in Site A.

2. The 6 servers at site B would be statically natted and the requests from Site B -> Site A will be unidirectional in nature. The public ip at Site A would also be Natted to permit these 6 ip's.

3. The server housed in Site A caters to requests both from Site B as well as from other sites via the same public ip.

4. A simple straightforward static nat causes every request coming to the public ip to get natted.

     static (inside,outside) public_ip Server_ip netmask

5. To solve this a policy / conditional NAT has been configured as follows...

NOTE: PUBLIC_IP = public ip pointing to the Site A server; SITE_B_CLUSTER=6 servers at Site B

     access-list outside-incoming extended permit tcp object-group SITE_B-CLUSTER host PUBLIC_IP object-group TCP-PORTS

     access-list conditional-nat extended permit tcp object-group SITE_B-CLUSTER host PUBLIC_IP object-group TCP-PORTS

    static (inside,outside) PUBLIC_IP access-list conditional-nat

6. Now when i am configuring this i am encountering the following errors...

      • Protocol mismatch between the static and access-list - Solved this by making my conditional-nat acl into ip based.
      • access-list used in static has different local addresses

    I am not able to solve the 2nd error. Could someone please help?

    I would also like to know what are my alternatives if i have to maintain the conditonal-nat access-list at a tcp based ACL?

I would also like some material which i could read on policy Nat & Nat Basics.

                     Thanking You,


Uzair Syed Naveed

Everyone's tags (3)
Cisco Employee

Re: Policy NAT / Conditional NAT


Please refer to the below document for information about configuring Static policy NAT:

For information about Policy NAT in general (dynamic and static), refer to the below page:

The error message you are seeing is because the way you are configuring Static policy NAT is incorrect. The ACL "outside-inside" is alright but the access list being used for the NAT, that is, "conditional-nat" is configured the reverse of the way it should be.

Basically, you will need an ACL specifying IP traffic from the SIte A server's real IP (in the 10.x.x.x) range destined to the Site B server's IP addresses (SITE_B_CLUSTER). Once you have such an ACL ready, create the static with this ACL and the PUBLIC_IP as the translated IP.

I hope this information helps.

All the best!!

Thanks and Regards,


New Member

Re: Policy NAT / Conditional NAT

Hello Prapanch,

                        Thank you for your response. This clarifies things quite a bit. i do have a doubt here...

                          If i have an ACL specifying IP traffic from the SIte A server's real IP (in the 10.x.x.x) range destined to the Site B server's IP addresses (SITE_B_CLUSTER). then how would that help, and why would it be required logically?

                          I mean, the requests are only unidirectional from site b -> site A and the reason we are applying the acl  is to implement the condition that, only specific requests from the SITE_B_CLUSTER get translated to SITE_A_public ip.

ohh and before i forget...

THANK YOU for all your help.

you have been a big help. Ill be implementing this tomorrow morning. Ill get back in case i do have some problem here.


Uzair Syed Naveed

Cisco Employee

Re: Policy NAT / Conditional NAT

Hi Uzair,

Well, frankly speaking, the fact is that this is the way we are supposed ot configure Policy NAT on the ASA. This is how it works practically:

static (inside,outside) PUBLIC_IP access-list conditional-nat

access-list condition-nat permit ip host SITEA-SERVER object-group SITEB_SERVERS

Now when the ASA sees a request coming in on the "outside" interface for the PUBLIC_IP and it is sourced from the one of the IP addresses in the "object-group SITEB_SERVERS", then ASA will match this against this Static policy NAT that we have configured and will untranslate the PUBLIC_IP to the real ip of the server SITEA_SERVER and route the traffic out the "inside" interface.

Now if the ASA receives a request on the "outside" interface for the PUBLIC_IP but the packet's source IP is not in the object-group SITEB_SERVERS, then the ASA will not match this packet against this STatic NAT and will try to match it against the rest of the config that we have on the ASA.

Hope this makes things clear. Let me know if there are any gray areas


Cisco Employee

Re: Policy NAT / Conditional NAT


firstly let me start with the erro message

the second error message you are concerned about, you are getting this because what you are telling the firewall that the local ip address are on your inside and they all need to statically translated to one public ip. as you can see this does not make much sense

secondly as prapanch pointed out you have the static wrongly configured as this gives the firewall a feeling that the local hots are on your inside

lastly, i do not understand why you are concerned about using

static (inside,outside) public_ip Server_ip netmask

please note this is destination nat, which mean the destination ip is translated. this does not mean that the source ip of all the hosts from internet is translated

i hope this clears your doubt