cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
504
Views
0
Helpful
6
Replies

NAT exemption and Policy NAT

mchockalingam
Level 1
Level 1

Hi All,

I have the following NAT exemption configured on my firewall

access-list in_nat0_out extended permit ip 10.0.0.0 255.0.0.0 x.x.224.0 255.255.248.0

nat (inside) 0 access-list in_nat0_out

The statements above basically does the NAT exemption for us. Any 10.0.0.0/8 traffic from inside destined to the x.x.224.0/21 (this is our DMZ subnet), we do not perform NAT.

But now, we have a single device in the DMZ (IP is x.x.224.29) that we want to do NAT. Any 10-net traffic destined for x.x.224.29/32, I want to allocate a dynamic NAT pool.

The way I understand is, once I have nat 0 (or NAT exemption) configured, I cannot do a NAT on an overlapping network or address.

Is that correct? Or is it possible to do a NAT just for 1 address and nat 0 for all other addresses?

thanks,

Meena

6 Replies 6

eddie.mitchell
Level 3
Level 3

Have you tried the following?

access-list in_nat1_out extended permit ip 10.0.0.0 255.0.0.0 host x.x.224.29

nat (inside) 1 access-list in_nat1_out

global (dmz) 1 x.x.x.x-x.x.x.x netmask 255.x.x.x

Hope this helps.

No, I have not tried it yet.

I thought this will not work because my nat 0 command already has that address in it. x.x.224.29/32 is part of x.x.224.0/21 and it would take the first match which is my NAT exemption.

Does it look for a closer match or the first match?

Meena

Jon Marshall
Hall of Fame
Hall of Fame

Meena

You are correct, nat exemption takes precedence over everything else -

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042696

You will have to exempt the traffic going to x.x.224.29 from your access-list in_nat0_out.

Jon

Thank you Jon!

I was able to verify that NAT exemption takes precedence. The only way I can do policy NAT is if I exclude that address from the NAT exemption.

Thank you again!

Meena

No problem, glad to have been of help :-)

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: