https://community.cisco.com/t5/network-security/allowing-natted-ips-through-asa/m-p/3865901#M925470 Oh ok sorry, you mean the firewall itself is not doing the nat translation? If this is inbound traffic, and the ASA is not doing any NAT translation/un-translation, then the ASA would only know the public IP address - therefore the ACL rule should reference the only IP address it recieved traffic from (the public IP address). Fri, 31 May 2019 17:48:06 GMT Rob Ingram 2019-05-31T17:48:06Z https://community.cisco.com/t5/network-security/allowing-natted-ips-through-asa/m-p/3865756#M925467 <P>You must still use the natted IP not the real source IP in the access-rules correct?</P> Fri, 21 Feb 2020 17:11:06 GMT https://community.cisco.com/t5/network-security/allowing-natted-ips-through-asa/m-p/3865756#M925467 CiscoBrownBelt 2020-02-21T17:11:06Z https://community.cisco.com/t5/network-security/allowing-natted-ips-through-asa/m-p/3865791#M925468 Hi,<BR />No, you always use the real IP address in the ACL not the natted ip address.<BR /><BR />I believe older version of ASA, v8.2 (from memory) however was different in regard to NAT. I assume you have a relatively new 9.x version of ASA? In which case use the real IP address.<BR /><BR />HTH Fri, 31 May 2019 14:16:46 GMT https://community.cisco.com/t5/network-security/allowing-natted-ips-through-asa/m-p/3865791#M925468 Rob Ingram 2019-05-31T14:16:46Z https://community.cisco.com/t5/network-security/allowing-natted-ips-through-asa/m-p/3865812#M925469 Just so I can clarify, so if the IPs are being Natted prior to the FW you need to enter the original IP? Fri, 31 May 2019 14:55:45 GMT https://community.cisco.com/t5/network-security/allowing-natted-ips-through-asa/m-p/3865812#M925469 CiscoBrownBelt 2019-05-31T14:55:45Z https://community.cisco.com/t5/network-security/allowing-natted-ips-through-asa/m-p/3865901#M925470 Oh ok sorry, you mean the firewall itself is not doing the nat translation? If this is inbound traffic, and the ASA is not doing any NAT translation/un-translation, then the ASA would only know the public IP address - therefore the ACL rule should reference the only IP address it recieved traffic from (the public IP address). Fri, 31 May 2019 17:48:06 GMT https://community.cisco.com/t5/network-security/allowing-natted-ips-through-asa/m-p/3865901#M925470 Rob Ingram 2019-05-31T17:48:06Z https://community.cisco.com/t5/network-security/allowing-natted-ips-through-asa/m-p/3867130#M925471 <P>Yes sorry I should have clarified but awesome thanks!</P><P>&nbsp;</P><P>Just created another post, but what if I want to NAT an internal IP address to another IP address that should be allowed to transverse an IPSEC tunnel on an ASA? Example, I have 160.1.1.10 address that I want to be Natted to 170.1.1.10 which is an source IP allowed to reach 200.1.1.10 destination IP of the IPSEC tunnel?&nbsp;</P><P>In addition to my NAT statement which is:</P><P>"Object-Nat" natting static 160.1.1.10 to 170.1.1.10 and choosing Inside interface as source interface (160.1.1.10 host is in the Inside interface) and Outside interface (IPSEC tunnel starts/exits Outside interface on both Local and Remote Tunnel/ASA devices,</P><P>Do I need to create another ACL rule which would be applied to the Crypto Map ACL or no since the Crypto Map ACL is already defining/allowing source address 170.1.1.10 to reach remote destination IP 200.1.1.10?</P> Tue, 04 Jun 2019 02:13:33 GMT https://community.cisco.com/t5/network-security/allowing-natted-ips-through-asa/m-p/3867130#M925471 CiscoBrownBelt 2019-06-04T02:13:33Z