https://community.cisco.com/t5/network-security/nat-question/m-p/1191121#M875749 <P>will the following NAT config on an ASA conflict?</P><P></P><P>First part is for one to one NAT for inside address 172.16.1.1</P><P>static (inside,outside) 192.168.1.1 172.16.1.1 netmask 255.255.255.255</P><P>access-list outside_in permit tcp host 10.10.10.10 host 192.168.1.1</P><P></P><P>following is an exception for the one to one NAT. I have a host on the outside that needs to access the inside host 172.16.1.1, but they cannot use 192.168.1.1 as the destination. So here was what I proposed:</P><P></P><P>access-list nat-exception permit ip host 172.16.1.1 host 209.x.x.x </P><P>static (inside,outside) 172.32.1.1</P><P>access-list nat-exception</P><P>access-list outside_in permit tcp host 209.x.x.x host 172.32.1.1</P><P></P><P>basically I have a static NAT already in place, but have a new customer coming in that needs to access the same internal address via an address that is not the already defined static statement so I was wondering if the static with the access-list would be a workaround without conflicting with or affecting the one to one NAT? I'm guessing the one to one NAT trumps my idea. If anyone has any idea on how I can make this work please advise. Thanks</P><P></P> Mon, 11 Mar 2019 14:56:59 GMT mjsully 2019-03-11T14:56:59Z https://community.cisco.com/t5/network-security/nat-question/m-p/1191121#M875749 <P>will the following NAT config on an ASA conflict?</P><P></P><P>First part is for one to one NAT for inside address 172.16.1.1</P><P>static (inside,outside) 192.168.1.1 172.16.1.1 netmask 255.255.255.255</P><P>access-list outside_in permit tcp host 10.10.10.10 host 192.168.1.1</P><P></P><P>following is an exception for the one to one NAT. I have a host on the outside that needs to access the inside host 172.16.1.1, but they cannot use 192.168.1.1 as the destination. So here was what I proposed:</P><P></P><P>access-list nat-exception permit ip host 172.16.1.1 host 209.x.x.x </P><P>static (inside,outside) 172.32.1.1</P><P>access-list nat-exception</P><P>access-list outside_in permit tcp host 209.x.x.x host 172.32.1.1</P><P></P><P>basically I have a static NAT already in place, but have a new customer coming in that needs to access the same internal address via an address that is not the already defined static statement so I was wondering if the static with the access-list would be a workaround without conflicting with or affecting the one to one NAT? I'm guessing the one to one NAT trumps my idea. If anyone has any idea on how I can make this work please advise. Thanks</P><P></P> Mon, 11 Mar 2019 14:56:59 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/1191121#M875749 mjsully 2019-03-11T14:56:59Z https://community.cisco.com/t5/network-security/nat-question/m-p/1191122#M875750 <HTML><HEAD></HEAD><BODY><P>Hello, </P><P>I had the same type of issue. I had to use policy nat to fix it. The policy nat is triggered by access-list. Your second nat command is a policy nat. You should convert your one to one nat to a policy nat. You may still see a nat conflict pop on your CLI. But it will still work fine. </P></BODY></HTML> Wed, 25 Feb 2009 15:49:49 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/1191122#M875750 allen.malanda_2 2009-02-25T15:49:49Z