Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Static NAT using access-lists?

Hi,

i have an ASA5520 and im having an issue with static nat configuration.

I have an inside host, say 1.1.1.1, that i want to be accessible from the outside as address 2.2.2.2.

This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of 1.1.1.1.

I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.

Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from 2.2.2.2 -> 1.1.1.1' and for everyone else, dont nat?

My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...

Thanks,

Des

2 REPLIES
New Member

Re: Static NAT using access-lists?

Des,

You need to create an access-list to be used with the nat 0 statement.

access-list inside_nonat extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255

- this tells the pix/asa to NOT perform NAT for traffic going from 1.1.1.1 to 2.2.2.2

then use NAT 0 statement:

nat (inside) 0 access-list inside_nonat

to permit outside users to see inside addresses without NAT, flip this logic.

access-list outside_nonat extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255

nat (outside) 0 access-list outside_nonat

you'll also have to permit this traffic through the ACL of the outside interface.

access-list inbound_acl extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255

- Brandon

New Member

Re: Static NAT using access-lists?

You need policy static NAT (search cisco.com).

static (inside,outside) 2.2.2.2 access-list acl2 0 0

access-list acl2 permit ip host 1.1.1.1 x.x.x.0 255.255.255.0

With "no nat-control", you don't have to worry about nat 0 and real 1.1.1.1 access.

This feature has some bugs so I'm not sure you'll succeed.

Peter

225
Views
3
Helpful
2
Replies