topic Re: Policy NAT in Network Security

Policy NAT

John Blakley — Mon, 11 Mar 2019 15:24:09 GMT

So, I was doing some testing this weekend, and I had noticed something that I wanted someone to verify my findings. In an ASA, if I create an acl and policy nat, it seems that it's two directions.

access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (inside) 0 access-list NONAT

From the 192.168.3.0 subnet, I could ping something in the 192.168.1.0 subnet, and the same in reverse. I would've thought that I needed to create a 192.168.3.0 -> 192.168.1.0 ace, but that wasn't the case. Does that seem right?

Thanks!

John

Re: Policy NAT

Jon Marshall — Mon, 27 Apr 2009 13:28:54 GMT

John

"I would've thought that I needed to create a 192.168.3.0 -> 192.168.1.0 ace, but that wasn't the case"

When you say ace do you mean another access-list like the NONAT acl but in reverse ?

If so, no you don't need to because the above is a nat exemption and that is bi-directional.

Jon

Re: Policy NAT

John Blakley — Mon, 27 Apr 2009 13:34:31 GMT

Jon,

Yes in reverse. I thought my acl would've needed to look like:

access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list NONAT permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

Since the acl is src -> dst, I thought that's what was needed, when I put my first entry in, I realized that I could ping from both sides of the dmz (dmz-in,in-dmz). I'm switching the asa off of identity nat and going to policy nat.

Thanks!

John