02-12-2009 07:48 AM - edited 03-11-2019 07:49 AM
Hi,
I just need someones advise on the adding a NAT exempt rle on my ASA 5520.
If I add an exempt from an IP to another IP it works, if I add a NAT exempt for a group name to a group range it won't work.
I am using the ASDM and I have created a group for a range of IP addresses and another group for some other IP ranges.
Are there any particular methods I should be following here? If I add all the exempt rules individually then they all work.
02-12-2009 12:16 PM
In the IP to IP you use static, but for a network to network you can use static but you will have to hardcode the netmask to whatever the network is, for example:
static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
otherwise, if you do not specify the netmask it will take the default which is 255.255.255.255.
for a particular group of IP addresses, you may use policy natting or identity nat
Policy Nat:
access-list test permit ip 10.10.10.0 255.255.255.0 any
access-list test permit ip 10.20.20.0 255.255.255.0 any
access-list test permit ip 10.30.30.0 255.255.255.0 any
nat (inside) 0 access-list test
Identity NAT
nat (inside) 0 10.10.10.0 255.255.255.0
nat (inside) 0 10.20.20.0 255.255.255.0
nat (inside) 0 10.30.30.0 255.255.255.0
this should work fine...
please vote for me if it is helpful!
02-12-2009 01:02 PM
tHANKS FOR THE VAL INFO. lATER
02-12-2009 01:19 PM
Thanks, what is the NAT Exempt used for?
For example if I have 5 IP address of servers that I didn't want to get NAT'ed between an interface (DMZ) to a network range, how would I fo this?
Example
192.168.1.1/32
192.168.1.2/32
192.168.1.3/32
192.168.1.4/32
192.168.1.5/32
Not to get NAT'ed to
172.16.0.0/16 (DMZ interface)
02-12-2009 07:58 PM
There are a couple ways of performing this
Assuming the network range (inside)connections initiated to 172.06.0.0/16 network in the DMZ range
Nat exemption
access-list exemptrffc permit ip 192.168.1.0 255.255.255.248 172.16.0.0 255.255.0.0
nat (inside)0 access-list exempttrffc
nat (inside) 1
global (outside) 1 interface
This will provide nat exemption for any traffic srced from 192.168.1/29 initiated to 172.16.0.0 /16
while all other inside traffic will be patted to the outside interface address
Nat exemptions are always performed first in the NAT order of operations
02-12-2009 08:02 PM
One last note: With NAT exemption you can initiate both inbound or outbound connections
02-13-2009 12:28 AM
Thanks for your NAT Exempt example, how would I do this for say individual IP's only to the DMZ like:
192.168.1.10
192.168.1.150
192.168.1.225
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: