NAT exemption and Policy NAT

Unanswered Question
Feb 11th, 2009
User Badges:

Hi All,

I have the following NAT exemption configured on my firewall

access-list in_nat0_out extended permit ip x.x.224.0

nat (inside) 0 access-list in_nat0_out

The statements above basically does the NAT exemption for us. Any traffic from inside destined to the x.x.224.0/21 (this is our DMZ subnet), we do not perform NAT.

But now, we have a single device in the DMZ (IP is x.x.224.29) that we want to do NAT. Any 10-net traffic destined for x.x.224.29/32, I want to allocate a dynamic NAT pool.

The way I understand is, once I have nat 0 (or NAT exemption) configured, I cannot do a NAT on an overlapping network or address.

Is that correct? Or is it possible to do a NAT just for 1 address and nat 0 for all other addresses?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
eddie.mitchell@... Wed, 02/11/2009 - 06:34
User Badges:
  • Silver, 250 points or more

Have you tried the following?

access-list in_nat1_out extended permit ip host x.x.224.29

nat (inside) 1 access-list in_nat1_out

global (dmz) 1 x.x.x.x-x.x.x.x netmask 255.x.x.x

Hope this helps.

mchockalingam Wed, 02/11/2009 - 06:43
User Badges:

No, I have not tried it yet.

I thought this will not work because my nat 0 command already has that address in it. x.x.224.29/32 is part of x.x.224.0/21 and it would take the first match which is my NAT exemption.

Does it look for a closer match or the first match?


mchockalingam Wed, 02/11/2009 - 17:04
User Badges:

Thank you Jon!

I was able to verify that NAT exemption takes precedence. The only way I can do policy NAT is if I exclude that address from the NAT exemption.

Thank you again!

Jon Marshall Wed, 02/11/2009 - 17:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


No problem, glad to have been of help :-)



This Discussion