Using ASA/PIX with policy NAT to map an inside host

Possible scenarios when using policy NAT would be:

  • a LAN has private IP addresses that connect to the Internet using NAT overload; one host from this LAN needs to be accessed from outside with a public IP address only from certain hosts
  • a branch of an organization has a testbed with IP addresses that are routed only in the local network. In order to give access from other hosts in the intranet to a host in the testbed a PIX/ASA firewall is used to map the private IP address of the testbed host to a enterprise-wide routed IP that will be accessed only from authorised IPs.

We'll be tackling the latter situation. Here's the network diagram of our example:

Networks behind R are: a enterprise-routed VLAN ( and a testbed VLAN ( which only has static routes on R and FW. The desire is that host H2 could be accessed from the outside of the FW, only from The IP address that will be mapped on the FW should be from the subnet.
This can be accomplished using policy NATting on the FW firewall. In order to do this we need to create an ACL that will filter only specified IP pairs that will trigger NAT. The translation policy should look like this:
access-list acl_name permit ip real_ip real_mask foreign_ip foreign_mask
To keep the ACL manageable we'll use on object-group that contains the foreign_ip:
object-group network mapping
description List of IPs that can do policy NAT
network-object host
The ACL in our case is:
access-list policynat extended permit ip host object-group mapping
Finally, to do the mapping we'll use a static translation:
static (inside,outside) access-list policynat is the mapped IP address. To test the configuration ping from The result is that FW will translate to which takes the route through R and then H2.
To troubleshoot:
ciscoasa# sh nat

NAT policies on Interface inside:
match ip inside host outside host
static translation to
translate_hits = 10, untranslate_hits = 3
untranslate_hits are traffic from IPs other than

موضوعات مشابه: