topic nonat access-list versus static mapping in Network Security

nonat access-list versus static mapping

gp1200x — Tue, 12 Mar 2019 04:12:26 GMT

I am using code level 8.2.5

global (dmz) 1 interface
global (outside) 1 interface

nat (dmz) 0 access-list NONAT1

nat (inside) 0 access-list nonat
static (inside,dmz) 10.42.198.176 172.22.196.2 netmask 255.255.255.255

This is in reference to the bold nat command above. The nonat access list is a range of internal subnets in our network. If I use an external access list inbound to the outer ASA interface, can the outside addresses reach the inside address without any issues or do I still have to create a static reference for the inside address even though they are not natted going from the inside interface to the outside interface.

ex.

access-list External-in permit ip any host 10.0.0.1

access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

Can address 10.1.1.1 have unrestricted access to 10.0.0.1

Thanks

Yes, outside host should have

Jennifer Halim — Mon, 19 May 2014 08:17:22 GMT

Yes, outside host should have unlimited access to the internal host 10.0.0.1 based on the nonat and ACL applied to the outside interface. I am assuming that this is clear text traffic, not via VPN tunnel?

Yes it was for clear text. I

gp1200x — Mon, 19 May 2014 13:36:56 GMT

Yes it was for clear text. I did a quick test to verify it too...I was getting lazy and didn't really want to set a quick ASA to test. Thanks