02-11-2009 05:37 AM - last edited on 03-25-2019 05:42 PM by ciscomoderator
Hi All,
I have the following NAT exemption configured on my firewall
access-list in_nat0_out extended permit ip 10.0.0.0 255.0.0.0 x.x.224.0 255.255.248.0
nat (inside) 0 access-list in_nat0_out
The statements above basically does the NAT exemption for us. Any 10.0.0.0/8 traffic from inside destined to the x.x.224.0/21 (this is our DMZ subnet), we do not perform NAT.
But now, we have a single device in the DMZ (IP is x.x.224.29) that we want to do NAT. Any 10-net traffic destined for x.x.224.29/32, I want to allocate a dynamic NAT pool.
The way I understand is, once I have nat 0 (or NAT exemption) configured, I cannot do a NAT on an overlapping network or address.
Is that correct? Or is it possible to do a NAT just for 1 address and nat 0 for all other addresses?
thanks,
Meena
02-11-2009 06:34 AM
Have you tried the following?
access-list in_nat1_out extended permit ip 10.0.0.0 255.0.0.0 host x.x.224.29
nat (inside) 1 access-list in_nat1_out
global (dmz) 1 x.x.x.x-x.x.x.x netmask 255.x.x.x
Hope this helps.
02-11-2009 06:43 AM
No, I have not tried it yet.
I thought this will not work because my nat 0 command already has that address in it. x.x.224.29/32 is part of x.x.224.0/21 and it would take the first match which is my NAT exemption.
Does it look for a closer match or the first match?
Meena
02-11-2009 06:46 AM
I believe the more specific NAT should take precedence.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml
02-11-2009 06:52 AM
Meena
You are correct, nat exemption takes precedence over everything else -
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042696
You will have to exempt the traffic going to x.x.224.29 from your access-list in_nat0_out.
Jon
02-11-2009 05:04 PM
Thank you Jon!
I was able to verify that NAT exemption takes precedence. The only way I can do policy NAT is if I exclude that address from the NAT exemption.
Thank you again!
02-11-2009 05:30 PM
Meena
No problem, glad to have been of help :-)
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: