cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
462
Views
0
Helpful
4
Replies

NAT Exemption

c.ohliger
Level 1
Level 1

Hi,

has anybody tried to implement a NAT exemption and static NAT for the same source. What i want to achieve is that one host of the internal network will be not natted like the complete network and also has a static NAT for another connection.

I have problems to implement this and have read that PNAT is not possible in combination with NAT exemption.

regards

Christoph

4 Replies 4

suschoud
Cisco Employee
Cisco Employee

hi,

let's say u have host A on the inside.

You want that when host A goes to 1.1.1.1/24,then it should not be translated ( nat exempt ) and for the rest of the traffic it should get translated. ( static nat ).

is that true ?

if it is,

access-l nonat permit ip host A 1.1.1.1 255.255.255.0

nat (inside) 0 access-list nonat

static (inside,outside)

the nat 0 with an access-list ( exempt ) takes precedence over the static and that's why,the no nat is processed before the static.

i guess that's it.

if i am on the wrong side of the lane,let me know.

Regards,

Sushil.

Correct, here's the rest of the order

1. nat exemption

2. static nat

3. static pat

4. policy nat

5. regular nat

kaachary
Cisco Employee
Cisco Employee

Once a packet is exempted from natting for a specific destination, you can not do static natting for the same host/netowrk for the same destination.

Give us a brief overview of the scenario, and we'll try to help.

-Kanishka

Jesus ... so much answers, thanks for all your help. Its a complex environment, but i will try to explain. The environment is based on a FWSM with several interfaces. Basically all traffic is in a exemption NAT table based on network groups. A remote site will be connected to this environment with IPSEC. The IPSEC part will be handeld by a concentrator. The remote network is 172.22.0.0/16, has to be natted inbound to 10.61.0.0/16. Traffic from internal to this remote network has to natted dynamic (pool). Specific hosts in the internal network has to have a static NAT when accessed from outside.

The problem is the remote site is not willing to do NAT, that would be the easy way...

When i understand your comments correct then is the "jumping point" that NAT exemption is the first in order ... so the only solution would be to build a second firewall for this traffic ,-)

regards

Christoph

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: