In the access-list, first Ip is the inside and second ip is outside. Snippet from http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042478
For policy static NAT (and for NAT exemption, which also uses an access list to identify traffic), you can initiate traffic to and from the real host. However, the destination address in the access list is only used for traffic initiated by the real host. For traffic *to* the real host from the destination network, the source address is not checked, and the first matching NAT rule for the real host address is used. So if you configure static policy NAT such as the following: With regards Kings On Sun, Nov 21, 2010 at 4:45 PM, manish ludhani <[email protected]>wrote: > L10 10.10.10.10 > > | > > R1(1.1.1.10)--------(1.1.1.1)FW------------R2---L3 3.3.3.3 > > | > > L20 20.20.20.20 > > > > > > > > > > access-list LO10 extended permit ip host 3.3.3.3 host 10.10.10.10 > > access-list LO20 extended permit ip host 3.3.3.3 host 20.20.20.20 > > > > static (INSIDE,OUTSIDE) 1.1.1.3 access-list LO10 > > static (INSIDE,OUTSIDE) 1.1.1.4 access-list LO20 > > > > > > when I initiate ping from R2 sourced from L3 to L10 or L20 it works fine as > expected > > however when I initiate ping from R1 source from any it just uses the xlate > does not consider the access list > > > > Global 1.1.1.3 Local 3.3.3.3 > > Global 1.1.1.4 Local 3.3.3.3 > > > > However my understanding was the second ip in access list should be either > source or the destination in order to do the translation so from R1 ping > sourced from L10 to 1.1.1.3 and L20 to 1.1.1.4 should be translated rest > should not. > > > > > http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html#wp1074755 > > > *“**Identify the real addresses and destination/source addresses using an > extended access list. Create the extended access list using the access-list > extended command. The first address in the access list is the real > address; the second address is either the source or destination address, > depending on where the traffic originates.”* > ** > ** > > Can any1 pls explain > > > > > > Thanks > > Kind Regards > > Manish > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
