In article , Amaury Ronflard wrote: :Another scenario, PIX 501 involved.
:External IP: 187.234.17.19 (/28) :Inside IP: 192.168.10.1 (/26)
:I'd need to nat the inside network to 10.10.10.10.
access-list PolyNat_acl permit 192.168.10.0 255.255.255.64 REMOTENET REMOTEMASK nat (inside) 20 access-list PolyNat_acl global (outside) 20 10.10.10.10
:Once done, this :10.10.10.10 IP gets into no-nat access-list and in the access-list to :allow a specific traffic to the remote HA.
You cannot combine NAT and no-nat for the same IP address. But you don't need to. Write the crypto map ACL in terms of the -post- NAT IP address (10.10.10.10). If you are not using the permit-ipsec sysopt, write an inside ACL entries in terms of the internal IP addresses (192.168.10/26), and write the outside ACL entries in terms of the NAT'd IP, 10.10.10.10 .
:So, I'd have a nat0 access-list using an hide-nat IP not belonging to :any other interfaces. :Could work?
No. nat 0 access-list always has top priority, and is processed first. The other kinds of NAT are not processed until after nat 0 access-list, and NAT attempts stop as soon as an applicable NAT class is found.