NAT exemption and Policy NAT

Unanswered Question
Feb 11th, 2009

Hi All,

I have the following NAT exemption configured on my firewall

access-list in_nat0_out extended permit ip 10.0.0.0 255.0.0.0 x.x.224.0 255.255.248.0

nat (inside) 0 access-list in_nat0_out

The statements above basically does the NAT exemption for us. Any 10.0.0.0/8 traffic from inside destined to the x.x.224.0/21 (this is our DMZ subnet), we do not perform NAT.

But now, we have a single device in the DMZ (IP is x.x.224.29) that we want to do NAT. Any 10-net traffic destined for x.x.224.29/32, I want to allocate a dynamic NAT pool.

The way I understand is, once I have nat 0 (or NAT exemption) configured, I cannot do a NAT on an overlapping network or address.

Is that correct? Or is it possible to do a NAT just for 1 address and nat 0 for all other addresses?

thanks,

Meena

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eddie.mitchell@... Wed, 02/11/2009 - 06:34

Have you tried the following?

access-list in_nat1_out extended permit ip 10.0.0.0 255.0.0.0 host x.x.224.29

nat (inside) 1 access-list in_nat1_out

global (dmz) 1 x.x.x.x-x.x.x.x netmask 255.x.x.x

Hope this helps.

mchockalingam Wed, 02/11/2009 - 06:43

No, I have not tried it yet.

I thought this will not work because my nat 0 command already has that address in it. x.x.224.29/32 is part of x.x.224.0/21 and it would take the first match which is my NAT exemption.

Does it look for a closer match or the first match?

Meena

mchockalingam Wed, 02/11/2009 - 17:04

Thank you Jon!

I was able to verify that NAT exemption takes precedence. The only way I can do policy NAT is if I exclude that address from the NAT exemption.

Thank you again!

Actions

This Discussion