Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
778
Views
3
Helpful
2
Replies

Static NAT using access-lists?

desmckee
Community Member

‎11-08-2007 07:52 AM - edited ‎03-09-2019 07:18 PM

Hi,

i have an ASA5520 and im having an issue with static nat configuration.

I have an inside host, say 1.1.1.1, that i want to be accessible from the outside as address 2.2.2.2.

This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of 1.1.1.1.

I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.

Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from 2.2.2.2 -> 1.1.1.1' and for everyone else, dont nat?

My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...

Thanks,

Des

Labels:
0 Helpful
2 Replies 2

bhatok
Level 3
Level 3

‎11-08-2007 10:42 AM

Des,

You need to create an access-list to be used with the nat 0 statement.

access-list inside_nonat extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255

- this tells the pix/asa to NOT perform NAT for traffic going from 1.1.1.1 to 2.2.2.2

then use NAT 0 statement:

nat (inside) 0 access-list inside_nonat

to permit outside users to see inside addresses without NAT, flip this logic.

access-list outside_nonat extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255

nat (outside) 0 access-list outside_nonat

you'll also have to permit this traffic through the ACL of the outside interface.

access-list inbound_acl extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255

- Brandon

0 Helpful

koltl-gold
Level 1
Level 1

‎11-09-2007 01:05 AM

You need policy static NAT (search cisco.com).

static (inside,outside) 2.2.2.2 access-list acl2 0 0

access-list acl2 permit ip host 1.1.1.1 x.x.x.0 255.255.255.0

With "no nat-control", you don't have to worry about nat 0 and real 1.1.1.1 access.

This feature has some bugs so I'm not sure you'll succeed.

Peter

Customers Also Viewed These Support Documents