ASA - NAT based on destination address

Discussion in 'Hardware' started by tomasek, Nov 29, 2007.

  1. tomasek

    tomasek

    Joined:
    Nov 29, 2007
    Messages:
    2
    Hi,

    how to configure source address NAT based on destination address in Cisco ASA 5510?

    source host address 192.168.11.1 accessing 10.1.1.0 255.255.255.0 network (192.168.11.1 to be translated to 172.16.1.1)

    source host address 192.168.11.1 accessing all networks except of 10.1.1.0 255.255.255.0 (192.168.11.1 to be translated to 60.60.60.60)


    this is what i tried to configure.

    access-list privataccess extended permit ip host 192.168.11.1 10.1.1.0 255.255.255.0

    access-list publicaccess extended deny ip host 192.168.11.1 10.1.1.0 255.255.255.0
    access-list publicaccess extended permit ip host 192.168.11.1 any

    nat (inside) 1 access-list privataccess outside
    nat (inside) 2 access-list publicaccess outside
    global (outside) 2 60.60.60.60 netmask 255.255.255.255
    global (outside) 1 ISR_WebProdNat netmask 255.255.255.255
    static (inside,outside) 60.60.60.60 access-list publicaccess
    static (inside,outside) 172.16.1.1 access-list privataccess


    but I get a message "Deny rules not supported in Policy Nat" and "access-list has deny statements". What am I doing wrong?

    Thanks for your help

    Tomas.
     
    Last edited: Nov 30, 2007
    tomasek, Nov 29, 2007
    #1
    1. Advertising

  2. tomasek

    Greeley

    Joined:
    Dec 16, 2007
    Messages:
    67
    Take out this ACL:

    access-list publicaccess extended deny ip host 192.168.11.1 10.1.1.0 255.255.255.0

    As long as the privateaccess ACL comes first when the source and destination is matched it will automagically go there all else is denied. when the next nat translation is hit and goes to the privateaccess acl then the remaining source to any host will be proocessed.

    Hope this help,

    --G
     
    Greeley, Dec 16, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. shinhyuk
    Replies:
    5
    Views:
    9,124
    ishi_us
    May 22, 2009
  2. Sorin Platon

    NAT based on destination

    Sorin Platon, Sep 13, 2004, in forum: Cisco
    Replies:
    3
    Views:
    20,170
    Walter Roberson
    Sep 14, 2004
  3. theodorehope@gmail.com
    Replies:
    1
    Views:
    5,739
    mcaissie
    Aug 31, 2006
  4. 1388-2/HB
    Replies:
    0
    Views:
    798
    1388-2/HB
    Feb 22, 2007
  5. groorj

    NAT based on destination IP

    groorj, Aug 4, 2009, in forum: Cisco
    Replies:
    1
    Views:
    802
    groorj
    Aug 4, 2009
Loading...

Share This Page