NAT Exemption

Unanswered Question
May 22nd, 2007
User Badges:

Hi All,

I jsut need some help in making sure that the following statements are correct. Here is the scenario.

Our inside private addresss 10.x.x.x always gets NATed to a public IP on the outside. Now I have a situatuion where we do not want to NAT the private IP if the destination address is x.x.226.31 on the outside.

I have come up with the following.

access-list no_nat_ipvc_out permit ip host x.x.226.31

nat (inside) 0 access-list no_nat_ipvc_out

Will this work?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hoogen_82 Tue, 05/22/2007 - 05:00
User Badges:
  • Silver, 250 points or more

Yeah that should do it.


mchockalingam Wed, 05/23/2007 - 06:43
User Badges:

Thank you for both replies.

I have another situation but do not know how to do the translations for.

I have remote access VPN users getting public ip addresses in the range x.x.26.0/23 on the outside. They need to access their desktops on the inside using RDP and the desktops are on the private 10.x.x.x range.

Is it possible to allow remote access users on the outside to access the desktops on the inside?

I have been looking into policy NAT but need some help.

Any suggestions?

acomiskey Wed, 05/23/2007 - 07:32
User Badges:
  • Green, 3000 points or more

I think this is what you're asking. Just add the traffic to you existing nat exemption acl.

access-list no_nat_ipvc_out permit ip host x.x.226.31

access-list no_nat_ipvc_out permit ip x.x.226.0

nat (inside) 0 access-list no_nat_ipvc_out

mchockalingam Wed, 05/23/2007 - 08:01
User Badges:

I think this will only allow 10.x.x.x access the 26.0/23 with no NAT.

But I would like to no NAT the 10.x.x.x on the inside if the traffic is coming from the outside source x.x.26.0/23. I do not have any interface in the 10.x.x.x range on the firewall.

We are doing the NATing on the FWSM but the perimeter firewall has the DMZ which has our VPN device. When remote users connect they get an IP on the DMZ of the perimeter firewall and the users need access to inside which is 10.x.x.x. But all our 10.x.x.x gets NATed to a public IP by the FWSM.

acomiskey Wed, 05/23/2007 - 08:37
User Badges:
  • Green, 3000 points or more

Nat exemption acl's are bi-directional.

mchockalingam Wed, 05/23/2007 - 10:42
User Badges:

This is a learning for me. I just want to make sure that it will work if the traffic originates from outside.


This Discussion