Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
552
Views
5
Helpful
1
Replies

What type of NAT is this?

Go to solution
Taimur
Level 1
Level 1

‎09-13-2017 05:46 PM - edited ‎02-21-2020 06:18 AM

Hi all,

 

I've got an ASA running v8.2 with 'nat control' disabled and having the below NAT configured:

 

 

nat (inside) 20 access-list Nat-XC
nat (inside) 19 access-list Svr-Access
nat (inside) 0 0.0.0.0 0.0.0.0
global (outside) 20 x.y.z.240 netmask 255.255.255.240
global (outside) 20 x.y.z.241 netmask 255.255.255.240
global (outside) 20 x.y.z.242 netmask 255.255.255.240
global (outside) 19 x.y.z.243

 

 

I'm trying to figure out:

1. What exactly is 'nat(inside) 0 0.0.0.0 0.0.0.0' achieving?

2. Is that NAT exemption or identity NAT?

3. Are NAT IDs 19 and 20 getting ignored because of this line?

 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎09-14-2017 12:39 PM - edited ‎09-14-2017 12:40 PM

It's been a while since I did 8.2 but -

 

1) It is identity NAT ie. it translates the IP to the same IP and it does it for all IPs. 

 

2) As above it is identity NAT. 

 

3) No they should not be ignored because they are examples of policy NAT and that takes precedence over identity NAT so if traffic matches the acls it should use those. 

 

All that that said like I say it has been a while so you may want or refer to the configuration guide which goes into a lot more detail to make sure I haven't got anything wrong -

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config.html

 

Jon

View solution in original post

1 Reply 1

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎09-14-2017 12:39 PM - edited ‎09-14-2017 12:40 PM

It's been a while since I did 8.2 but -

 

1) It is identity NAT ie. it translates the IP to the same IP and it does it for all IPs. 

 

2) As above it is identity NAT. 

 

3) No they should not be ignored because they are examples of policy NAT and that takes precedence over identity NAT so if traffic matches the acls it should use those. 

 

All that that said like I say it has been a while so you may want or refer to the configuration guide which goes into a lot more detail to make sure I haven't got anything wrong -

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config.html

 

Jon

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card