Policy NAT

John Blakley · ‎04-27-2009

So, I was doing some testing this weekend, and I had noticed something that I wanted someone to verify my findings. In an ASA, if I create an acl and policy nat, it seems that it's two directions.

access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (inside) 0 access-list NONAT

From the 192.168.3.0 subnet, I could ping something in the 192.168.1.0 subnet, and the same in reverse. I would've thought that I needed to create a 192.168.3.0 -> 192.168.1.0 ace, but that wasn't the case. Does that seem right?

Thanks!

John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎04-27-2009

John

"I would've thought that I needed to create a 192.168.3.0 -> 192.168.1.0 ace, but that wasn't the case"

When you say ace do you mean another access-list like the NONAT acl but in reverse ?

If so, no you don't need to because the above is a nat exemption and that is bi-directional.

Jon

John Blakley · ‎04-27-2009

Jon,

Yes in reverse. I thought my acl would've needed to look like:

access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list NONAT permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

Since the acl is src -> dst, I thought that's what was needed, when I put my first entry in, I realized that I could ping from both sides of the dmz (dmz-in,in-dmz). I'm switching the asa off of identity nat and going to policy nat.

Thanks!

John

HTH, John *** Please rate all useful posts ***