need to understand the nat with access-list

sunil-koul · ‎11-28-2012

Please let me know what it means as it is configured on our ASA

global (mtaas) 5 10.224.128.4

nat (outside) 5 access-list EXIDE-MTAAS-PAT

access-list EXIDE-MTAAS-PAT extended permit ip host 1.1.1.4 host 10.224.128.250

access-list EXIDE-MTAAS-PAT extended permit ip 10.0.0.0 255.0.0.0 host 10.224.128.250

access-list EXIDE-MTAAS-PAT extended permit ip host 1.1.1.4 host 10.224.128.244

access-list EXIDE-MTAAS-PAT extended permit ip 10.0.0.0 255.0.0.0 host 10.224.128.244

Jouni Forss · ‎11-28-2012

Hi,

The configuration you mention in your post does the following:

Its a Policy PAT for traffic entering from networks behind "outside" to networks behind "mtaas"
Traffic that matches the access-list will get PAT translated (Port Address Translation) to the IP address of 10.224.128.4
The access-list tells what traffic needs to be translated
- In this case ANY IP traffic coming from source networks 10.0.0.0/8 and 1.1.1.4/32 will get translated WHEN they try to connect to the hosts 10.224.128.250 and 10.224.128.244

This Policy PAT configuration looks like a configuration for some VPN connection you have on the firewall. Its made so that the connections taken from the VPN connection get PATed to an IP address thats part of the destination network.

- Jouni