Hi Sagar, Concept of NAT

sagarludbe065 · ‎07-16-2014

Hello Everyone,

I have recently installed Cisco ASA 5525 in our customer premises. Issue with ACL deny policy in regular nat 0 exemption. In Old setup, They have PIX 525 with old version. In ASA 9.1 Cisco removed the nat 0 exemption keyword command

Please help me with nat 0 exemption in term of creation of ACL deny policy.

Old setup Pix access list with nat 0 exemption

access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 host 192.168.216.150
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 host 192.168.160.41
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 192.168.128.96 255.255.255.240
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 192.168.171.0 255.255.255.0
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 192.168.179.0 255.255.255.0
access-list Private_inside_nat0_outbound remark Testing
access-list Private_inside_nat0_outbound extended deny ip 192.168.70.0 255.255.255.0 192.168.179.0 255.255.255.0
access-list Private_inside_nat0_outbound extended permit ip any any
access-list Private_inside_nat0_outbound remark NCP
access-list Private_inside_nat0_outbound extended deny ip host 192.168.100.40 host 192.168.128.108
access-list Private_inside_nat0_outbound remark NCP
access-list Private_inside_nat0_outbound extended deny ip host 192.168.100.101 host 192.168.128.110
access-list private_outside_nat0_inbound extended permit ip 192.168.100.128 255.255.255.128 any
access-list Private_dmz_nat0_outbound_1 remark CPC
access-list Private_dmz_nat0_outbound_1 extended deny ip host 192.168.6.167 any
access-list Private_dmz_nat0_outbound_1 extended permit ip any any
access-list NCP_nat0_inbound remark NCP_TO_ABC
access-list NCP_nat0_inbound extended deny ip host 192.168.128.108 host 192.168.100.40
access-list NCP_nat0_inbound extended deny ip host 192.168.141.177 host 192.168.100.86

nat (inside) 0 access-list Private_inside_nat0_outbound
nat (outside) 0 access-list private_outside_nat0_inbound outside
nat (dmz) 0 access-list Private_dmz_nat0_outbound_1
nat (NCP) 0 access-list NPCI_nat0_inbound outside

static (inside,NCP) interface 192.168.100.40 netmask 255.255.255.255
static (inside,NCP) 192.168.128.108 192.168.100.28 netmask 255.255.255.255
static (inside,NCP) 192.168.128.110 192.168.100.101 netmask 255.255.255.255
static (inside,NCP) 192.168.128.109 192.168.100.29 netmask 255.255.255.255
static (inside,NCP) 192.168.128.102 192.168.100.33 netmask 255.255.255.255
static (inside,NCP) 192.168.128.105 192.168.100.63 netmask 255.255.255.255
static (dmz,NCP) 192.168.128.104 192.168.6.167 netmask 255.255.255.255
static (inside,NCP) 192.168.141.177 192.168.100.86 netmask 255.255.255.255

- Sagar

anatara2 · ‎07-16-2014

Hi Sagar,

Concept of NAT-Control is not present in post 8.2 versions.

Access control can be applied as ACL's and not through natting.

Regards,

Anand

Nat 0 Configuration issue with ACL deny policy on ASA ver(9.1)