Hi,

I looked around the forums and the docs for a long time before posting this question.

I think there are some NAT flexibility lost in 8.3 code.

I have a config in 8.2 that permitted me to policy nat to different adresses for different services (icmp, tcp, udp...)

I am trying to convert it to the new NAT format (after 8.3) but I don't think it's possible for ICMP.

1- translate for ICMP to 20.20.20.2

access-list POLICY_NAT2 extended permit icmp host 172.16.11.2 host 20.20.20.20

nat (inside) 2 access-list POLICY_NAT2

global (outside) 2 20.20.20.2

2- translate for telnet to 20.20.20.11

access-list POLICY_NAT3 extended permit tcp host 172.16.11.2 host 20.20.20.20 eq 23

nat (inside) 3 access-list POLICY_NAT3

global (outside) 3 20.20.20.11

3- translate for all else to 20.20.20.123

access-list POLICY_NAT4 extended permit ip host 172.16.11.2 any

nat (inside) 4 access-list POLICY_NAT4

global (outside) 3 20.20.20.123

I know from the doc that the new NATs can do the same for TCP/UDP ports only:

NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP).

object service TELNET1

service tcp destination eq telnet

object network HOST1

host 172.16.11.2

object network HOST1_OUT

host 20.20.20.11

This works:

nat (inside,outside) source dynamic HOST1 HOST1_OUT service TELNET1 TELNET1

This doesn't:

object service HOST1_ICMP

service icmp

nat (inside,outside) source dynamic HOST1 HOST1_OUT service TELNET1 TELNET1

ERROR: real service object includes protocol that doesnt match TCP or UDP.

Any other methods of doing this?