Understanding NAT

Unanswered Question
Nov 13th, 2007


I've got the following nat config's setup on our firewall, but I'm having difficulty understanding what they mean. Could someone please explain what is happening here:

access-list nonat-dmz extended permit ip host Private_Host

access-list nonat-inside extended permit ip host Private_Host

access-list nat-inside extended permit ip object-group Direct-Internet any

global (outside) 1 x.x.x.x

nat (inside) 0 access-list nonat-inside

nat (inside) 1 access-list nat-inside

nat (dmz) 0 access-list nonat-dmz

Thanks in advance


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
msosabar Tue, 11/13/2007 - 09:32

Hello dan,

basically you have what it's called: "NAT exemption"

when the condition on the access-list nonat-dmz and nonat-inside happens, the firewall lets the traffic to go out without translation, this is common used for VPN interesting traffic. And the other one the nat (inside) 1 access-list nat-inside

it's called Policy NAT, and basically is going to translate the matching condition defined on the access-list nat-inside into the public address or range defined on the global (outside) 1 x.x.x.x

Here is the command reference for PIX/ASA 7.2.2, please check the nat and static statements it has a really good explanation of how the firewall handles the translations:



This Discussion