NAT Exempt rule

Unanswered Question
Feb 12th, 2009
User Badges:


I just need someones advise on the adding a NAT exempt rle on my ASA 5520.

If I add an exempt from an IP to another IP it works, if I add a NAT exempt for a group name to a group range it won't work.

I am using the ASDM and I have created a group for a range of IP addresses and another group for some other IP ranges.

Are there any particular methods I should be following here? If I add all the exempt rules individually then they all work.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
oabduo983 Thu, 02/12/2009 - 12:16
User Badges:
  • Bronze, 100 points or more

In the IP to IP you use static, but for a network to network you can use static but you will have to hardcode the netmask to whatever the network is, for example:

static (inside,outside) netmask

otherwise, if you do not specify the netmask it will take the default which is

for a particular group of IP addresses, you may use policy natting or identity nat

Policy Nat:

access-list test permit ip any

access-list test permit ip any

access-list test permit ip any

nat (inside) 0 access-list test

Identity NAT

nat (inside) 0

nat (inside) 0

nat (inside) 0

this should work fine...

please vote for me if it is helpful!

sdoremus33 Thu, 02/12/2009 - 13:02
User Badges:
  • Bronze, 100 points or more


whiteford Thu, 02/12/2009 - 13:19
User Badges:

Thanks, what is the NAT Exempt used for?

For example if I have 5 IP address of servers that I didn't want to get NAT'ed between an interface (DMZ) to a network range, how would I fo this?


Not to get NAT'ed to (DMZ interface)

sdoremus33 Thu, 02/12/2009 - 19:58
User Badges:
  • Bronze, 100 points or more

There are a couple ways of performing this

Assuming the network range (inside)connections initiated to network in the DMZ range

Nat exemption

access-list exemptrffc permit ip

nat (inside)0 access-list exempttrffc

nat (inside) 1

global (outside) 1 interface

This will provide nat exemption for any traffic srced from 192.168.1/29 initiated to /16

while all other inside traffic will be patted to the outside interface address

Nat exemptions are always performed first in the NAT order of operations

sdoremus33 Thu, 02/12/2009 - 20:02
User Badges:
  • Bronze, 100 points or more

One last note: With NAT exemption you can initiate both inbound or outbound connections

whiteford Fri, 02/13/2009 - 00:28
User Badges:

Thanks for your NAT Exempt example, how would I do this for say individual IP's only to the DMZ like:



This Discussion