ASA - NAT based on destination address

Discussion in 'Hardware' started by tomasek, Nov 29, 2007.

  1. tomasek


    Nov 29, 2007
    Likes Received:

    how to configure source address NAT based on destination address in Cisco ASA 5510?

    source host address accessing network ( to be translated to

    source host address accessing all networks except of ( to be translated to

    this is what i tried to configure.

    access-list privataccess extended permit ip host

    access-list publicaccess extended deny ip host
    access-list publicaccess extended permit ip host any

    nat (inside) 1 access-list privataccess outside
    nat (inside) 2 access-list publicaccess outside
    global (outside) 2 netmask
    global (outside) 1 ISR_WebProdNat netmask
    static (inside,outside) access-list publicaccess
    static (inside,outside) access-list privataccess

    but I get a message "Deny rules not supported in Policy Nat" and "access-list has deny statements". What am I doing wrong?

    Thanks for your help

    Last edited: Nov 30, 2007
    tomasek, Nov 29, 2007
    1. Advertisements

  2. tomasek


    Dec 16, 2007
    Likes Received:
    Take out this ACL:

    access-list publicaccess extended deny ip host

    As long as the privateaccess ACL comes first when the source and destination is matched it will automagically go there all else is denied. when the next nat translation is hit and goes to the privateaccess acl then the remaining source to any host will be proocessed.

    Hope this help,

    Greeley, Dec 16, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.