Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unidirectional / Variable NAT on ASA

Hi, we have a Checkpoint Firewall we are migrating to an ASA.

One type of access we have, is for groups of users on the "outside"interface, connecting to Servers on the "Inside" interface.

These Servers' addresses are NATted, in a way that the users will connect to the NAT address and currently the CP FW will NAT those to the real address before sending them off. So far nothing weird...

The problem is that we currently have some users with access to the REAL IP of the servers, not the NATted one, and I can't seem to replicate that in the ASA.

In CP it is very easy, because the Translation rules include all components and are defined in a direction, that is for example:

If the packet comes from "User/IP A", destined for "Server 1's NAT", then keep the source "as is" and NAT the destination to "Server 1's real IP",

When the return traffic comes, I assume it knows through a state table or something (because there is no entry for the other direction) that it did the NAT so it reverses it.

Now when a user connects to the "real IP", no NAT takes place, and the connection works  (and I say I think it records this with some type of state table because of the above, where NAT does take place and nothing happens here).

When we try this on the ASA, we would normally try a static NAT like so:

static (outside, inside) real_IP  nat_IP

Which would be fine, except that when the users attempt to connect to the "real IP", while of course it won't be NATted, the return traffic DOES get NATted, and the connection breaks...

I've looked at Policy NAT, but it seems to have the same problem, as the same users can connect to either the real or NAT IP, and therefore if they're in the ACL for the Policy NAT, the same problem would occur with the return traffic...

Any thoughts on a way to get this working?

Cisco Employee

Re: Unidirectional / Variable NAT on ASA

Hi Walter,

I think what you need here is NAT exemption which allows a connection through the appliance without being NAT'd.

Let's assume your public IP to NAT to the internal servers is

Your internal LAN is 192.168.20.X/24 being your internal server.

You would allow access to the users that connect to the NAT address with a static NAT:

static (inside,outside) netmask

Now you need to instruct the ASA to no nat the flows from your clients connecting directly to the server IP address,

i.e your client being 192.168.30.X/0

access-list NAT0 extended permit ip host

And then apply the NAT config as NAT value 0

nat (inside) 0 access-list NAT0

Next you need to configure the interface ACL accordingly to the accept the connections from each source.


__ __


New Member

Re: Unidirectional / Variable NAT on ASA

Thanks, I'm going to test that out tomorrow and see if we can get it working! I'll post back

CreatePlease login to create content