Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Patrick Here is the order of operations for NAT on the firewall: 1. nat 0 access-list (nat-exempt) 2. Match existing xlates 3. Match static commands a. Static NAT with and without access-list b. Static PAT with and without access-list 4. Match nat commands a. nat [id] access-list (first match) b. nat [id] [address] [mask] (best match) i. If the ID is 0, create an identity xlate ii. Use global pool for dynamic NAT iii. Use global pool for dynamic PAT So you could try 1) a static NAT with an access-list which will take precendence over a dynamic NAT statement2) As you can see from 4a it uses first match with NAT and access-list so in theory swapping them around should do the trick. Can i think of any negative consequences ? - well yes you could lose all connectivity. I don't think this will happen but i can't promise so you absolutely would want to do this out of hours.Jon
Jon - I tried #1, but I received an error:access-list NAT1 permit ip 192.168.0.0 255.255.0.0 10.2.0.0 255.255.0.0static (inside,outside) 172.20.n.1 access-list NAT1global address overlaps with maskI am unable to figure out what the error message means....I had also tried #1 using a NAT with the object-groups, but that failed too, although with a different error message.Using a static NAT config would be my preferred solution.Thanks for your time. Patrick
PatrickI kind of missed the wood for the trees here. The static policy NAT is failing because you are trying to map a network 192.168.0.0 to a single IP address 172.20.n.1. However it's just occured, why are you doing policy NAT for the Internet. I tested in lab and if you do this nat (INSIDE) 1 192.168.0.0 255.255.0.0global (OUTSIDE) 1 interface access-list NAT-LIST permit ip 192.168.0.0 255.255.0.0 10.2.x.x 255.255.255.0 nat (INSIDE) 2 access-list NAT-LISTglobal (OUTSIDE) 1 172.20.n.1 ie. only do policy NAT for VPN traffic. This works as expected in my lab. Is there a reason why you need policy NAT for general Internet access ? Jon