Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Policy NAT

So, I was doing some testing this weekend, and I had noticed something that I wanted someone to verify my findings. In an ASA, if I create an acl and policy nat, it seems that it's two directions.

access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (inside) 0 access-list NONAT

From the 192.168.3.0 subnet, I could ping something in the 192.168.1.0 subnet, and the same in reverse. I would've thought that I needed to create a 192.168.3.0 -> 192.168.1.0 ace, but that wasn't the case. Does that seem right?

Thanks!

John

HTH, John *** Please rate all useful posts ***
2 REPLIES
Hall of Fame Super Blue

Re: Policy NAT

John

"I would've thought that I needed to create a 192.168.3.0 -> 192.168.1.0 ace, but that wasn't the case"

When you say ace do you mean another access-list like the NONAT acl but in reverse ?

If so, no you don't need to because the above is a nat exemption and that is bi-directional.

Jon

Re: Policy NAT

Jon,

Yes in reverse. I thought my acl would've needed to look like:

access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list NONAT permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

Since the acl is src -> dst, I thought that's what was needed, when I put my first entry in, I realized that I could ping from both sides of the dmz (dmz-in,in-dmz). I'm switching the asa off of identity nat and going to policy nat.

Thanks!

John

HTH, John *** Please rate all useful posts ***
133
Views
0
Helpful
2
Replies
CreatePlease to create content