Permit specific address on ASA for nat.

Lost & Found · ‎08-13-2015

Hi,

I would like to ask how to translate/permit specific host on firewall.

on 8.2ver I used nat (inside) 1 ipofhost and subnet

on 9.2 ver it notworking?

do i need to create a net object network for the spefic address to be allow?

please see the attached file.

thank you

Karsten Iwen · ‎08-14-2015

Have a look at Jounis great document on the changes from 8.2-NAT to the new NAT-model:

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Lost & Found · ‎08-14-2015

Hi Karsten,

Thanks. but based on Jounis which is better setup for my scenario? thanks

Karsten Iwen · ‎08-14-2015

Configure dynamic NAT for the whole internal network (or even "any"). The rest is controlled with Access-Control-Lists.

Lost & Found · ‎08-14-2015

Hi karsten,

But i think it's not convenient. because for example

We are using 10.1.16/24 and 10.1.17.0/24 and we only want to permit 10.1.16.1 and 10.1.17.2/24

so the rest will be configured ACL manually?

thanks

Karsten Iwen · ‎08-14-2015

ACLs and not NAT are the tools for allowing and denying traffic. You should use it for what it's build. Although it was possible in older versions to handle that with NAT, it get's really complicated with actual ASA versions.

Lost & Found · ‎08-14-2015

Thank you. I'll test all jouni sample hahahaa thanks