https://community.cisco.com/t5/network-security/static-nat-verification/m-p/2724409#M179213 <P>That will work. You need:</P><OL><LI>The network 111.11.11.56/29 has to be routed to your ASA by the ISP</LI><LI>You need the command "arp permit-nonconnected" on the ASA</LI><LI>and the "normal" static NAT and access-control on your ASA</LI></OL> Sat, 05 Sep 2015 14:31:53 GMT Karsten Iwen 2015-09-05T14:31:53Z https://community.cisco.com/t5/network-security/static-nat-verification/m-p/2724408#M179194 <P>Hi all,</P><P>I have a static nat question that came up in and environment, but i am not 100% sure if this will work.</P><P>Need some verification, due to the nature of the subnet-ed networks done by the ISP,</P><P>&nbsp;</P><P>I have an ASA connected direct to the ISP with the network 111.11.11.64/30.</P><P>However i need to Static NAT all our Microsoft Lync services to subnet IPs beyond the /30 network which is in the range of 111.11.11.56/29.</P><P>Will the above work?</P><P>&nbsp;</P><P>Usually i would do a /25 on the public network, but this time, the IPs subneted is being fixed by the ISP, as i do not want the hassle of calling them up to just change the subnet/re-routing on their side</P><P>Appreciate any advise</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 06:33:18 GMT https://community.cisco.com/t5/network-security/static-nat-verification/m-p/2724408#M179194 J_Vansen_S 2019-03-12T06:33:18Z https://community.cisco.com/t5/network-security/static-nat-verification/m-p/2724409#M179213 <P>That will work. You need:</P><OL><LI>The network 111.11.11.56/29 has to be routed to your ASA by the ISP</LI><LI>You need the command "arp permit-nonconnected" on the ASA</LI><LI>and the "normal" static NAT and access-control on your ASA</LI></OL> Sat, 05 Sep 2015 14:31:53 GMT https://community.cisco.com/t5/network-security/static-nat-verification/m-p/2724409#M179213 Karsten Iwen 2015-09-05T14:31:53Z