10-06-2010 04:13 PM - edited 03-11-2019 11:51 AM
In my old PIX I had this;
PIX515e# show nat
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 0 access-list DMZ_outbound_nat0_acl
We have the don't nat 0 with access-list, how do I re-impement this with ASA 8.3(2)? I didn't see how to tie a ACL to a nat -jason
10-06-2010 05:14 PM
Hi ,
I am putting an example here
In Pre-8.3
access-list EXEMPT extended permit ip 10.1.3.0 255.255.255.0 20.2.4.0 255.255.255.0
nat (inside) 0 access-list EXEMPT
In 8.3
object network obj-10.1.3.0 subnet 10.1.3.0 255.255.255.0 object network obj-20.2.4.0 subnet 20.2.4.0 255.255.255.0nat (inside,any) source static obj-10.1.3.0 obj-10.1.3.0 destination static obj-20.2.4.0 obj-20.2.4.0
For dmz nat exempt you can change the inside to dmz and use the appropriate networks
nat (inside) 1 0.0.0.0 0.0.0.0 0 0 will change to
object network obj_any subnet 0.0.0.0 0.0.0.0 nat (inside,outside) dynamic interface I hope that helps. Here is a doc that explains it further https://supportforums.cisco.com/docs/DOC-9129
Thanks, Namit
10-06-2010 05:17 PM
Hello,
You are correct. 8.3 does not have option for NAT with ACL. You can try the following:
Assume that your old NAT rule was as follows:
nat (inside) 0 access-list inside_outbound_nat0_acl
access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Then, in 8.3, the corresponding configuration would be:
object network obj_192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj_10.1.1.0
subnet 10.1.1.0 255.255.255.0
nat (inside,any) source static obj_10.1.1.0 obj_10.1.1.0 destination static obj_192.168.1.0 obj_192.168.1.0
Hope this helps.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide