NAT Exempt rule

Unanswered Question
Feb 12th, 2009
User Badges:

Hi,


I just need someones advise on the adding a NAT exempt rle on my ASA 5520.


If I add an exempt from an IP to another IP it works, if I add a NAT exempt for a group name to a group range it won't work.


I am using the ASDM and I have created a group for a range of IP addresses and another group for some other IP ranges.


Are there any particular methods I should be following here? If I add all the exempt rules individually then they all work.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
oabduo983 Thu, 02/12/2009 - 12:16
User Badges:
  • Bronze, 100 points or more

In the IP to IP you use static, but for a network to network you can use static but you will have to hardcode the netmask to whatever the network is, for example:


static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0


otherwise, if you do not specify the netmask it will take the default which is 255.255.255.255.


for a particular group of IP addresses, you may use policy natting or identity nat


Policy Nat:

access-list test permit ip 10.10.10.0 255.255.255.0 any

access-list test permit ip 10.20.20.0 255.255.255.0 any

access-list test permit ip 10.30.30.0 255.255.255.0 any


nat (inside) 0 access-list test



Identity NAT


nat (inside) 0 10.10.10.0 255.255.255.0

nat (inside) 0 10.20.20.0 255.255.255.0

nat (inside) 0 10.30.30.0 255.255.255.0


this should work fine...


please vote for me if it is helpful!


sdoremus33 Thu, 02/12/2009 - 13:02
User Badges:
  • Bronze, 100 points or more

tHANKS FOR THE VAL INFO. lATER

whiteford Thu, 02/12/2009 - 13:19
User Badges:

Thanks, what is the NAT Exempt used for?


For example if I have 5 IP address of servers that I didn't want to get NAT'ed between an interface (DMZ) to a network range, how would I fo this?


Example


192.168.1.1/32

192.168.1.2/32

192.168.1.3/32

192.168.1.4/32

192.168.1.5/32


Not to get NAT'ed to


172.16.0.0/16 (DMZ interface)



sdoremus33 Thu, 02/12/2009 - 19:58
User Badges:
  • Bronze, 100 points or more

There are a couple ways of performing this

Assuming the network range (inside)connections initiated to 172.06.0.0/16 network in the DMZ range

Nat exemption

access-list exemptrffc permit ip 192.168.1.0 255.255.255.248 172.16.0.0 255.255.0.0

nat (inside)0 access-list exempttrffc

nat (inside) 1

global (outside) 1 interface

This will provide nat exemption for any traffic srced from 192.168.1/29 initiated to 172.16.0.0 /16

while all other inside traffic will be patted to the outside interface address

Nat exemptions are always performed first in the NAT order of operations


sdoremus33 Thu, 02/12/2009 - 20:02
User Badges:
  • Bronze, 100 points or more

One last note: With NAT exemption you can initiate both inbound or outbound connections

whiteford Fri, 02/13/2009 - 00:28
User Badges:

Thanks for your NAT Exempt example, how would I do this for say individual IP's only to the DMZ like:


192.168.1.10

192.168.1.150

192.168.1.225


Thanks

Actions

This Discussion