Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Static Nat and Nat 0

Hi,

I have an ASA running ver 8.0.

I want to create a static NAT for one host residing on the LAN hanging off the inside interface.

All other traffic going through the firewall should not be natted (or natted to the same IP). Would this configuration work ok.

nat-control

static (inside,outside) 10.131.2.19 10.1.19.9

nat (inside) 0 access-list nonat

nat (outside) 0 access-list nonat

access-list nonat permit ip any any

Any advice on how to do this a better way would also be appreciated.

Cheers

Lee

3 REPLIES
Hall of Fame Super Blue

Re: Static Nat and Nat 0

Hi Lee

nat-control

static (inside,outside) 10.131.2.19 10.1.19.9

nat (inside) 0 0.0.0.0 0.0.0.0

That should do the trick. The static takes preference over the NAT statement. The NAT statement just says do not NAT any traffic.

HTH

Jon

Silver

Re: Static Nat and Nat 0

The "nat (outside) 0 access-list nonat" is redundant/unnecessary. This is an NAT exemption statement, so it works bidirectionally. A NAT 0 works unidirectionally and specifies a single IP going in in or out.

New Member

Re: Static Nat and Nat 0

Hi Lee,

If you dont want to nat all traffic , so dont use the nat-control command, because this command will pass only natted addresses, and if any address is not natted , it will by dropped.

To perform natting on a specific internal ip address, you can use:

nat(inside) 2 10.1.19.9 (INTERNAL IP)

global(ouside) 2 10.131.2.19 (EXTERNAL IP)

this will nat the internal address 10.2.19.9 to an external address 10.131.2.19.

137
Views
0
Helpful
3
Replies
CreatePlease to create content