30 July 2010

ASA Outside to Inside NAT

By default, nat command exempts traffic from inside to outside (high security to equal or low security). If you want traffic from outside to inside to bypass NAT, then add an additional nat command and enter outside to identify the NAT instance as outside NAT. You might want to use outside NAT exemption if you configure dynamic NAT for the outside interface and want to exempt other traffic.

For example, in order to exempt an inside network when accessing any destination address, enter this command:
hostname(config)#access-list EXEMPT permit ip 10.1.1.0
  255.255.255.0 any 
hostname(config)# nat (inside) 0 access-list
  EXEMPT 
In order to use dynamic outside NAT for a DMZ network, and exempt another DMZ network, enter this command:
hostname(config)#nat (dmz) 1 10.1.1.0 255.255.255.0
  outside dns 
hostname(config)#global (inside) 1
  10.1.1.2
hostname(config)#access-list EXEMPT permit ip 10.1.1.0
  255.255.255.0 any 
hostname(config)#nat (dmz) 0 access-list
  EXEMPT
In order to exempt an inside address when accessing two different destination addresses, enter this commands:
hostname(config)#access-list NET1 permit ip 10.1.1.0
  255.255.255.0 172.16.199.0 255.255.255.224
hostname(config)#access-list NET1 permit ip 10.1.1.0
  255.255.255.0 172.16.199.224 255.255.255.224 
hostname(config)#nat (inside) 0 access-list NET1

No comments:

Post a Comment