change of the PIX6.3 static nat to 6.4

Similar Questions

• Public static NAT vs. Access-List

  Hello

  I have a question what is the best practice static NAT and access list. Example:

  Server (192.168.1.1) Web inside to outside (10.10.10.10) with the port 80 and 443.

  IP nat inside source static tcp 192.168.1.1 80 10.10.10.10 80

  IP nat inside source static tcp 192.168.1.1 10.10.10.10 443 443

  Or

  IP nat inside source static 192.168.1.1 10.10.10.10

  Access-list 101 permit tcp any host 10.10.10.10 eq 80

  Access-list 101 permit tcp any host 10.10.10.10 eq 443

  interface ethernet0
  IP access-group 101 in

  Thank you

  The operational reasons - it will break things.

• Static NAT with the road map for excluding the VPN

  We have problems of access to certain IPs NATted static via a VPN.  After some research, we have learned that you have to exclude traffic destined for the VPN to the static NAT using a road map. So we did this:

  10.1.1.x is the VPN IP pool.

  access-list 130 refuse ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 allow ip 192.168.1.0 0.0.0.255 any

  sheep allowed 10 route map
  corresponds to the IP 130

  IP nat inside source static 192.168.1.5 1.1.1.1 sheep map route

  Above worked to fix the VPN but the IP 192.168.1.5 is no longer publicly available via 1.1.1.1.  What seems to happen, is that the static NAT is not really work and this IP address is NATted with the IP of PAT.

  Any ideas on how to get this to work?

  Thank you
  Diego

  Hello

  The following example details exactly your case:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

  Try to replace the 192.168.1.0 subnet by the host address.

  It should work

  HTH

  Laurent.

• Cisco IOS - how config static nat to NAT on the VPN

  Hello world

  I need help.

  I configured a VPN site-to site between two routers IOS. One of the routers already had a static NAT (172.16.100.1 inside to the public IP address), but this static NAT prevents remote VPN hosts access to the 172.16.100.1 home as it tries to the response to public IP NAT router configured.

  Does anyone know how to use static NAT for the inside to the outside, but don't not NAT inside to outside VPN traffic?

  I know how to make using a roadmap for "overload" dynamic NAT, but I can't? t see how you can use a roadmap on the static NAT statement.

  You can provide any help would be appreciated.

  Chris

  Hi Chris

  Take a look at the document atatched with gives a few examples of the very thing you are trying to do.

  http://www.Cisco.com/en/us/products/SW/iosswrel/ps1839/products_feature_guide09186a0080087bac.html

  HTH

  Jon

• Cannot ping via the VPN client host when static NAT translations are used

  Hello, I have a SRI 3825 configured for Cisco VPN client access.

  There are also several hosts on the internal network of the static NAT translations have a services facing outwards.

  Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.

  For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.

  Any help would be appreciated.

  Concerning

  !

  session of crypto consignment

  !

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group vpnclient

  key S3Cu4Ke!

  DNS 192.168.1.1 192.168.1.2

  domain domain.com

  pool dhcppool

  ACL 198

  Save-password

  PFS

  netmask 255.255.255.0

  !

  !

  Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac

  !

  Crypto-map dynamic dynmap 10

  86400 seconds, life of security association set

  game of transformation-3DES-SECURE

  market arriere-route

  !

  card crypto client cryptomap of authentication list drauthen

  card crypto isakmp authorization list drauthor cryptomap

  client configuration address card crypto cryptomap answer

  map cryptomap 65535-isakmp ipsec crypto dynamic dynmap

  !

  interface GigabitEthernet0/0

  NAT outside IP

  IP 1.2.3.4 255.255.255.240

  cryptomap card crypto

  !

  interface GigabitEthernet0/1

  IP 192.168.1.254 255.255.255.0

  IP nat inside

  !

  IP local pool dhcppool 192.168.2.50 192.168.2.100

  !

  Note access-list 198 * Split Tunnel encrypted traffic *.
  access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

  !
  Note access-list 199 * NAT0 ACL *.
  access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 199 permit ip 192.168.1.0 0.0.0.255 any

  !

  Sheep allowed 10 route map
  corresponds to the IP 199

  !
  IP nat inside source map route sheep interface GigabitEthernet0/0 overload

  !

  IP nat inside source static 192.168.1.1 1.2.3.5
  IP nat inside source static 192.168.1.2 1.2.3.6

  The problem seems to be that static NAT take your nat exemption.

  The solution would be:

  IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
  IP nat inside source static 192.168.1.2 1.2.3.6 sheep map route

  HTH

  Herbert

• 2 static NAT on the same Interface

  I have an ASA 5510 (8.2 (5)) and I'm trying to set up a VPN site-to site of one of our suppliers.  The problem I am running into is that they want me NAT one specific to one of our servers private IP, and this server already has a static NAT from the outside of a demilitarized zone.  It's the current rule NAT:

  static (DMZ1, external) 65.43.x.x 10.0.0.3 netmask 255.255.255.255

  and they want card me 172.28.9.42 on the same server, so I tried to add:

  (DMZ1, external) 172.28.9.42 static 10.0.0.3 netmask 255.255.255.255

  but can not because it's a double translation.

  Any help would be greatly appreciated.

  Hello

  It seems to me you must configure a static NAT to politics

  Configurations would be as follows

  DMZ-POLICY-NAT of ip 10.0.0.3 host allowed access list

  (DMZ1, external) 172.28.9.42 static access-list DMZ-POLICY-NAT

  Regarding configurations

  • Name of the ACL can be naturally you want
  • Destination network can be a single host if necessary IP address
  • You should be able to configure multiple lines if necessary

  Note that you need to have this NAT configuration before the real public IP address command static NAT. You need to remove the existing static NAT to configure the above and add the original.

  This is because if you do not configure static NAT of politics first in the configuration, all traffic will keep hitting the normal rule of the static NAT for the public IP address.

  -Jouni

• Static Nat issue unable to resolve everything tried.

  Hello

  I have a cisco asa 5515 with asa worm 9.4.1 and asdm 7.4

  I have problem with configuring static nat, I have a server inside which ip is 172.16.1.85 and

  my external interface is configured with a static ip address.

  Internet works fine but cannot configure static nat...

  Here's my config running if please check and let me know what Miss me...

  Thank you

  ASA release 9.4 (1)
  !
  ciscoasa hostname

  names of
  !
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  IP 151.253.97.182 255.255.255.248
  !
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  IP 172.16.1.1 255.255.255.0
  !
  interface GigabitEthernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/5
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  management only
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  boot system Disk0: / asa941-smp - k8.bin
  passive FTP mode
  object remote desktop service
  source eq 3389 destination eq 3389 tcp service
  Description remote desktop
  network of the RDP_SERVER object
  Home 172.16.1.85
  outside_access_in list extended access allow desktop remotely any4 object RDP_SERVER
  pager lines 24
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  management of MTU 1500
  no failover
  no monitor-service-interface module of
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 743.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  !
  network of the RDP_SERVER object
  NAT (inside, outside) interface static service tcp 3389 3389
  !
  NAT source auto after (indoor, outdoor) dynamic one interface
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 151.253.97.177 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  identity of the user by default-domain LOCAL
  Enable http server
  http server idle-timeout 50
  http 192.168.1.0 255.255.255.0 management

  Telnet 192.168.1.0 255.255.255.0 management
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH 192.168.1.0 255.255.255.0 management
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  VPDN username bricks12 password * local store
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  dynamic-access-policy-registration DfltAccessPolicy
  username, password imran guVrfhrJftPA/rQZ encrypted privilege 15
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  anonymous reporting remote call

  ciscoasa #.

  Hello

  Change this ACL: -.

  outside_access_in list extended access allow desktop remotely any4 object RDP_SERVER

  TO

  outside_access_in list extended access allowed object RDP_SERVER eq any4 tcp 3389

  Thank you and best regards,

  Maryse Amrodia

• Static NAT & DMVPN Hub

  Hello

  I don't think that will be a problem DMVPN supports the rays behind NAT devices, but I anticipate change my network for reasons of security and redudancy autour and putting a pair of ASA firewalls on my Internet collocation.  Right now I have a DMVPN race 3845, NAT & ZBFW.  I'm going to remove the ZBFW and move the NAT to the ASA, leaving only the DMVPN hub and routing.  If I create a static NAT mapping on my ASA to point to the DMVPN hub that will work?

  I think it will be, but I just wanted to be 110% sure.

  Thank you!

  Hi Brantley,

  DMVPN with static NAT on the hub is supported in the installer. Just be awear it there are limits.

  1, all DMVPN router, hub and spokes must be running at least 12.3(9a) and 12.3 (11) T code.

  2, must use ipsec transport mode.

  3, so need dynamic tunnel talk to rays, hub should work at least 12.3 (13), 12.3 (14) T and 12.3 (11) T3 code.

  See the configuration guide

  http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/sec_DMVPN_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1122466

  HTH,

  Lei Tian

• % 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; Connection refused because of the failure of the path opposite. NAT VPN clients problems after that put 8.3.2 to level.

  I've recently updated to 8.3.2 and I have been informed of these NAT changes, but even after reading the https://supportforums.cisco.com/docs/DOC-12569 I am still unable to rectify the communication network 192.168.100.0 VPN with hosts on 172.16.1.0 and 172.16.9.0. VPN clients connect to the external interface, and I try to ping inside and the demilitarized zone, respectable 172.16.1.0 and 172.16.9.0 hosts. VPN client shows that the two previously mentioned networks such as roads of security, but still not to the ping pong.

  # sh nat

  Manual NAT policies (Section 1)

  1 (inside) to the (whole) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

  translate_hits = 0, untranslate_hits = 0

  2 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

  translate_hits = 0, untranslate_hits = 0

  3 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0

  translate_hits = 0, untranslate_hits = 0

  4 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

  translate_hits = 0, untranslate_hits = 0

  5 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0

  translate_hits = 0, untranslate_hits = 0

  Auto NAT policies (Section 2)

  1 (dmz), to the source (external) static obj - 172.16.9.5 interface tcp www www service

  translate_hits = 0, untranslate_hits = 142

  2 (dmz) (outdoor) source static obj - 172.16.9.5 - 01 interface service tcp 3389 3389

  translate_hits = 0, untranslate_hits = 2

  3 (dmz) (outdoor) source static obj - 172.16.9.5 - 02 interface tcp ldap ldap service

  translate_hits = 0, untranslate_hits = 0

  4 (dmz) (outdoor) source static obj interface - 172.16.9.5 - 03 service ftp ftp tcp

  translate_hits = 0, untranslate_hits = 0

  5 (dmz) to (outside) of the source static obj - 172.16.9.5 - 04 interface tcp smtp smtp service

  translate_hits = 0, untranslate_hits = 267

  6 (inside) source static obj - 172.16.9.0 172.16.9.0 (dmz)

  translate_hits = 4070, untranslate_hits = 224

  7 (inside) to (dmz) source static obj - 10.1.0.0 10.1.0.0

  translate_hits = 0, untranslate_hits = 0

  8 (inside) to (dmz) source static obj - 172.16.0.0 172.16.0.0

  translate_hits = 152, untranslate_hits = 4082

  9 (dmz) to dynamic interface of the obj - 172.16.9.0 - 01 source (outdoor)

  translate_hits = 69, untranslate_hits = 0

  10 (inside) to the obj_any interface dynamic source (external)

  translate_hits = 196, untranslate_hits = 32

  I think you must following two NAT config

  NAT (inside, outside) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
  NAT (dmz, external) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 192.168.100.0 obj - 192.168.100.0

  Please configure them and remove any additional NAT configuration and then try again.

• Public static political static NAT in conflict with NAT VPN

  I have a situation where I need to create a VPN site-to site between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises where the LAN behind the Cisco ASA has the same subnet an existing VPN currently created on the Sonicwall. Since the Sonicwall cannot have two VPN both run on the same subnet, the solution is to use policy NAT on the SAA as well as for the Sonicwall, the new VPN seems to have a different subnet.

  The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a private network virtual created for another customer with the same subnet). I try to translate it to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The ASA relevant configuration is:

  interface Vlan1

  IP 192.168.10.1 255.255.255.0

  access extensive list ip 192.168.24.0 outside_1_cryptomap allow 255.255.255.0 10.159.0.0 255.255.255.0

  list of access VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0

  public static 192.168.24.0 (inside, outside) - list of VPN access

  card crypto outside_map 1 match address outside_1_cryptomap

  In addition, there are other static NAT instructions and their associated ACLs that allow certain traffic through the firewall on the server, for example:

  public static tcp (indoor, outdoor) interface smtp SERVER smtp netmask 255.255.255.255

  The problem is this: when I enter the static strategy statement NAT, I get the message ' WARNING: real-address conflict with existing static "and then it refers to each of the static NAT statements reflecting the external address to the server. I've thought about it, and it seemed to me that the problem was that policy NAT statement must be the first statement of NAT (it is the last one) so that it is run first and all traffic destined to the VPN to the Sonicwall (destination 10.159.0.0/24) tunnel would be properly treated. If I left him as the last statement, then the other static NAT statements would prevent a part of the 10.159.0.0/24 network-bound traffic to be correctly routed through the VPN.

  So, I tried first to my stated policy NAT upward in the ASDM GUI interface. However, moving the declaration was not allowed. Then I tried to delete the five static NAT statements that point to the server (an example is above) and then recreate them, hoping that would then move up the policy statement NAT. This also failed.

  What Miss me?

  Hello

  I assumed that we could have changed the order of the 'static' , the original orders, but as it did not work for some reason any then it seems to me that you suggested or change, that I proposed should work.

  I guess that your purpose was to set up static political PAT for the VPN for some these services, then static PAT of public network access, then static NAT to policy for the rest of the network in-house.

  I guess you could choose any way seems best for you.

  Let me know if get you it working. I always find it strange that the original configuration did not work.

  Remember to mark a reply as the answer if it answered your question.

  Feel free to ask more if necessary

  -Jouni

• Static nat problem on ASA (v8.2)?

  Tring to add a new rules static nat, but it seems that I have a not able to do

  Public IP 10.10.10.10

  20.20.20.20 inside the LAN IP address

  try adding:

  FW (config) # static (inside, outside) tcp 10.10.10.10 https 20.20.20.20 https netmask 255.255.255.255

  ERROR: mapped address conflict with existing static

  inside: 20.20.20.20 outside: 10.10.10.10 netmask 255.255.255.255

  The rule with the same public IP already existing, but pointing to the different internal LAN IP address:

  static (inside, outside) 10.10.10.10 20.20.20.21 netmask 255.255.255.255

  Please advice how to solve this problem.

  Thank you!

  Hi Vuèko,

  Please change your existing static nat to a particular port instead of letting it as ip to ip nat.

  "static (inside, outside) 10.10.10.10 20.20.20.21 netmask 255.255.255.255".

  And then you can add second static nat to a different IP address (i.e. within the intellectual property) and it will take it and it should work.

  Thank you

  Rizwan Muhammed.

• Static NAT configuration

  I have VMWare with Windows 2012 R2 VM installation.  I am installing the VM to have a static NAT (DHCP disabled) address and connect to the internet.  I can't understand why it doesn't work for me.  The virtual computer can connect to the internet fine with DHCP active, but once I change to static, using the same IP addresses, it stops working.

  I have modified the virtual network Editor to use a specific subnet and disabled DHCP

  

  Changed the settings for the TCP/IPv4 virtual machine to use a static address

  

  The only thing I noticed is that the host NIC for VMnet8 continues to change its configuration to default.  Even if I change it to the new subnet that he shouldn't come back to 192.168.21.0.

  I tried many different types of configurations, but I can't understand exactly what I'm doing wrong!  This guide of VNE was not very helpful and many other resources did not help much either.

  try to manually configure DNS settings in advanced NAT settings option and check again

• Static NAT to 10.140.2.0 to 10.240.2.0 via VPN

  I need help to set up a static nat device between oursite and seller

  oursite has a subnet 10.140.2.0/24 the provider uses for something else.  They asked that we nat 10.140.2.0/24 to 10.240.2.0/24 via the VPN, so they will see the 10.140 10.240? any help is appreciated. I think that map crypo acl must be standing as well, we run version 8.2

  LOCAL SITE - ASA - TUNEL VPN - ASA - SITE PROVIDER

  Thanks in advance

  Hello Bbftijari,

  In this case, according to the ASA version, but you will need to configure, this way:

  Pre - 8.3

  1. create groups of objects for use in the ACL,

  the LOCAL_SITE object-group network
  object-network 10.140.2.0 255.255.255.0

  the Vendor_SITE object-group network
  network-object XXXXXX XXXXXX

  2. create ACLs, as a condition,

  access-list VPN_NAT permitted object-group LOCAL_SITE object group ip Vendor_SITE

  3 create the static NAT, call the ACL, so he says "when I come inside outside of LOCAL_SITE to Vendor_SITE, I will result in 10.240.2.0/24.

  public static 10.240.2.0 (inside, outside) access-list VPN_NAT netmask 255.255.255.0

  --------------------------------------------------------------------------------------------------------------------------------

  Post 8.3

  1 create the network objects and create a static entry:

  the LOCAL_SITE object-group network
  object-network 10.140.2.0 255.255.255.0

  the NAT_SITE object-group network
  object-network 10.240.2.0 255.255.255.0

  the Vendor_SITE object-group network
  network-object XXXXXX XXXXXX

  2. static NAT creation,

  NAT (inside, outside) 1 static source LOCAL_SITE NAT_SITE Vendor_SITE Vendor_SITE non-proxy-arp-search of route static destination

  Test and keep me posted.

  Please note and mark it as the correct answer if it helped you.

  David Castro,

• Dual active/passive failover of ISP with static Nat on Cisco 1941

  Hello world

  I'm working on a configuration of a client and I have everything in place right now except the NAT' static ing.  The config fails during an ISP to another and track als and routes by default static weighted, the PAT rocking with course to each interface maps.  It is, is it possible to switch on the large amount of static NAT entries to the ISP of backup?  So far, everything I've read said no because you can have only one entry per ip/port combo, other than another configuration static NAT double server with a different IP address.  I just want to be sure before making my recommendations, all thoughts are greatly appreciated.

  Thank you

  Brandon

  In fact, you can also long as you use standard NAT ("ip nat inside source static") or not NVI ('ip nat static source') for your attackers. You apply the roadmap by the end of the static NAT statement to indicate which interface it should apply to. So, if you have something like this:

   ip access-list extended ACL_NAT permit ip 192.168.0.0 255.255.255.0 any ! route-map RM_NAT_ISP1 match ip address ACL_NAT match interface GigabitEthernet0/1 ! route-map RM_NAT_ISP2 match ip address ACL_NAT match interface GigabitEthernet0/2 

  Using port 80/tcp for example, you can do this:

   ip nat inside source static tcp x.x.x.x 80 y.y.y.y 80 route-map RM_NAT_ISP1 ip nat inside source static tcp x.x.x.x 80 z.z.z.z 80 route-map RM_NAT_ISP2 

  Just replace x.x.x.x with the LAN address of the machine that you are shipping y.y.y.y with the WAN address you are shipping on isps1 and z.z.z.z with the address of the ISP WAN you are shipping on ISP2. The static NAT will be conditional on the roadmap, at this point.

  This works with TCP, UDP, and IP forwarding, but does not require that you use an IPv4 address to your WAN address. For some reason, it does not work if you use an interface... so if you're using dynamic addresses, it will be more complicated.

• Static NAT by ASA

  I configured a static NAT through my ASA, which for some

  reason does not work - I think that the problem is with the NAT or

  der rather than the rule itself, but I would be very grateful if someone

  could you help me diagnose the problem.

  command line, the rule is: -.

  static (UKSCMGMT, management) 10.20.20.20 192.168.1.2 255.255.255.255 subnet mask

  My theory is that anything with a destination address of 10.20.20.20 would be considered to be 192.168.1.2 on the UKSCMGMT interface.

  in looking at ASDM rule looks like this

  Type the address of the Source Destination interface trans

  Static empty management 192.168.1.2 10.20.20.20

  There are a few rules exemption related to 192.168.1.2 - but they are host-to-host and should not affect the static translation.

  Yes, quite correct. You can configure NAT exemption by network instead of by each host. If you have guests that can be grouped in a subnet, configure as network instructions instead.