NAT Exemption

Unanswered Question
Mar 14th, 2007


has anybody tried to implement a NAT exemption and static NAT for the same source. What i want to achieve is that one host of the internal network will be not natted like the complete network and also has a static NAT for another connection.

I have problems to implement this and have read that PNAT is not possible in combination with NAT exemption.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
suschoud Wed, 03/14/2007 - 07:51


let's say u have host A on the inside.

You want that when host A goes to,then it should not be translated ( nat exempt ) and for the rest of the traffic it should get translated. ( static nat ).

is that true ?

if it is,

access-l nonat permit ip host A

nat (inside) 0 access-list nonat

static (inside,outside)

the nat 0 with an access-list ( exempt ) takes precedence over the static and that's why,the no nat is processed before the static.

i guess that's it.

if i am on the wrong side of the lane,let me know.



acomiskey Wed, 03/14/2007 - 07:52

Correct, here's the rest of the order

1. nat exemption

2. static nat

3. static pat

4. policy nat

5. regular nat

kaachary Wed, 03/14/2007 - 07:53

Once a packet is exempted from natting for a specific destination, you can not do static natting for the same host/netowrk for the same destination.

Give us a brief overview of the scenario, and we'll try to help.


c.ohliger Wed, 03/14/2007 - 08:09

Jesus ... so much answers, thanks for all your help. Its a complex environment, but i will try to explain. The environment is based on a FWSM with several interfaces. Basically all traffic is in a exemption NAT table based on network groups. A remote site will be connected to this environment with IPSEC. The IPSEC part will be handeld by a concentrator. The remote network is, has to be natted inbound to Traffic from internal to this remote network has to natted dynamic (pool). Specific hosts in the internal network has to have a static NAT when accessed from outside.

The problem is the remote site is not willing to do NAT, that would be the easy way...

When i understand your comments correct then is the "jumping point" that NAT exemption is the first in order ... so the only solution would be to build a second firewall for this traffic ,-)




This Discussion