cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
354
Views
0
Helpful
3
Replies

Static Nat and Nat 0

lee.messenger
Level 1
Level 1

Hi,

I have an ASA running ver 8.0.

I want to create a static NAT for one host residing on the LAN hanging off the inside interface.

All other traffic going through the firewall should not be natted (or natted to the same IP). Would this configuration work ok.

nat-control

static (inside,outside) 10.131.2.19 10.1.19.9

nat (inside) 0 access-list nonat

nat (outside) 0 access-list nonat

access-list nonat permit ip any any

Any advice on how to do this a better way would also be appreciated.

Cheers

Lee

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Hi Lee

nat-control

static (inside,outside) 10.131.2.19 10.1.19.9

nat (inside) 0 0.0.0.0 0.0.0.0

That should do the trick. The static takes preference over the NAT statement. The NAT statement just says do not NAT any traffic.

HTH

Jon

jwalker
Level 3
Level 3

The "nat (outside) 0 access-list nonat" is redundant/unnecessary. This is an NAT exemption statement, so it works bidirectionally. A NAT 0 works unidirectionally and specifies a single IP going in in or out.

alanajjar
Level 1
Level 1

Hi Lee,

If you dont want to nat all traffic , so dont use the nat-control command, because this command will pass only natted addresses, and if any address is not natted , it will by dropped.

To perform natting on a specific internal ip address, you can use:

nat(inside) 2 10.1.19.9 (INTERNAL IP)

global(ouside) 2 10.131.2.19 (EXTERNAL IP)

this will nat the internal address 10.2.19.9 to an external address 10.131.2.19.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: