07-16-2014 12:54 AM - edited 03-11-2019 09:28 PM
Hello Everyone,
I have recently installed Cisco ASA 5525 in our customer premises. Issue with ACL deny policy in regular nat 0 exemption. In Old setup, They have PIX 525 with old version. In ASA 9.1 Cisco removed the nat 0 exemption keyword command
Please help me with nat 0 exemption in term of creation of ACL deny policy.
Old setup Pix access list with nat 0 exemption
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 host 192.168.216.150
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 host 192.168.160.41
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 192.168.128.96 255.255.255.240
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 192.168.171.0 255.255.255.0
access-list Private_inside_nat0_outbound extended deny ip 192.168.100.0 255.255.255.128 192.168.179.0 255.255.255.0
access-list Private_inside_nat0_outbound remark Testing
access-list Private_inside_nat0_outbound extended deny ip 192.168.70.0 255.255.255.0 192.168.179.0 255.255.255.0
access-list Private_inside_nat0_outbound extended permit ip any any
access-list Private_inside_nat0_outbound remark NCP
access-list Private_inside_nat0_outbound extended deny ip host 192.168.100.40 host 192.168.128.108
access-list Private_inside_nat0_outbound remark NCP
access-list Private_inside_nat0_outbound extended deny ip host 192.168.100.101 host 192.168.128.110
access-list private_outside_nat0_inbound extended permit ip 192.168.100.128 255.255.255.128 any
access-list Private_dmz_nat0_outbound_1 remark CPC
access-list Private_dmz_nat0_outbound_1 extended deny ip host 192.168.6.167 any
access-list Private_dmz_nat0_outbound_1 extended permit ip any any
access-list NCP_nat0_inbound remark NCP_TO_ABC
access-list NCP_nat0_inbound extended deny ip host 192.168.128.108 host 192.168.100.40
access-list NCP_nat0_inbound extended deny ip host 192.168.141.177 host 192.168.100.86
nat (inside) 0 access-list Private_inside_nat0_outbound
nat (outside) 0 access-list private_outside_nat0_inbound outside
nat (dmz) 0 access-list Private_dmz_nat0_outbound_1
nat (NCP) 0 access-list NPCI_nat0_inbound outside
static (inside,NCP) interface 192.168.100.40 netmask 255.255.255.255
static (inside,NCP) 192.168.128.108 192.168.100.28 netmask 255.255.255.255
static (inside,NCP) 192.168.128.110 192.168.100.101 netmask 255.255.255.255
static (inside,NCP) 192.168.128.109 192.168.100.29 netmask 255.255.255.255
static (inside,NCP) 192.168.128.102 192.168.100.33 netmask 255.255.255.255
static (inside,NCP) 192.168.128.105 192.168.100.63 netmask 255.255.255.255
static (dmz,NCP) 192.168.128.104 192.168.6.167 netmask 255.255.255.255
static (inside,NCP) 192.168.141.177 192.168.100.86 netmask 255.255.255.255
- Sagar
07-16-2014 02:51 AM
Hi Sagar,
Concept of NAT-Control is not present in post 8.2 versions.
Access control can be applied as ACL's and not through natting.
Regards,
Anand
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide