Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Interface to interface NAT exemption and access

Hi,

I've got an ASA5520 7.0(4) and I'm trying to get two interfaces to talk to each other without NAT

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 10.99.36.4 255.255.252.0

!

interface GigabitEthernet0/0.1

vlan 10

nameif insidevoice

security-level 90

ip address 10.99.60.4 255.255.252.0

I don't have ant static entries defined for these interfaces and I feel this is what I'm missing but don't understand the context I need for them.

access-list nonatvoice extended permit ip object-group godalmingvnet object-group godalmingnet

object-group network godalmingnet

description network godalming

network-object 10.99.36.0 255.255.252.0

object-group network godalmingvnet

description voice network godalming

network-object 10.99.60.0 255.255.252.0

nat 0 (insidevoice) access-list nonatvoice

Thats all the config I believe is relevant for the interfaces - can anyone help?

1 REPLY

Re: Interface to interface NAT exemption and access

Always think of the basic rules of PIX NAT:

high security -> low (e.g. inside users surfing internet) you need nat&global.

low security -> high (e.g. external access to sa mail server) you need static (& ACL).

no_NAT makes it more complicated but you could do this in one of three ways:

access-list nonatvoice extended permit ip object-group godalmingnet object-group godalmingvnet

nat 0 (inside) access-list nonatvoice

or

static (inside,insidevoice) 10.99.60.0 10.99.60.0 netmask 255.255.252.0 0 100

or you could turn off NAT:

no nat-control

check the command ref at http://www.cisco.com/en/US/products/ps6120/products_command_reference_book09186a00805fbad6.html for that last one, it might come in very handy.

97
Views
0
Helpful
1
Replies
CreatePlease to create content