NAT exemption and Policy NAT

Unanswered Question
Feb 11th, 2009
User Badges:

Hi All,


I have the following NAT exemption configured on my firewall


access-list in_nat0_out extended permit ip 10.0.0.0 255.0.0.0 x.x.224.0 255.255.248.0


nat (inside) 0 access-list in_nat0_out


The statements above basically does the NAT exemption for us. Any 10.0.0.0/8 traffic from inside destined to the x.x.224.0/21 (this is our DMZ subnet), we do not perform NAT.

But now, we have a single device in the DMZ (IP is x.x.224.29) that we want to do NAT. Any 10-net traffic destined for x.x.224.29/32, I want to allocate a dynamic NAT pool.

The way I understand is, once I have nat 0 (or NAT exemption) configured, I cannot do a NAT on an overlapping network or address.

Is that correct? Or is it possible to do a NAT just for 1 address and nat 0 for all other addresses?


thanks,

Meena

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eddie.mitchell@... Wed, 02/11/2009 - 06:34
User Badges:
  • Silver, 250 points or more

Have you tried the following?


access-list in_nat1_out extended permit ip 10.0.0.0 255.0.0.0 host x.x.224.29


nat (inside) 1 access-list in_nat1_out

global (dmz) 1 x.x.x.x-x.x.x.x netmask 255.x.x.x


Hope this helps.

mchockalingam Wed, 02/11/2009 - 06:43
User Badges:

No, I have not tried it yet.


I thought this will not work because my nat 0 command already has that address in it. x.x.224.29/32 is part of x.x.224.0/21 and it would take the first match which is my NAT exemption.


Does it look for a closer match or the first match?


Meena

mchockalingam Wed, 02/11/2009 - 17:04
User Badges:

Thank you Jon!


I was able to verify that NAT exemption takes precedence. The only way I can do policy NAT is if I exclude that address from the NAT exemption.


Thank you again!

Jon Marshall Wed, 02/11/2009 - 17:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Meena


No problem, glad to have been of help :-)


Jon

Actions

This Discussion