cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1502
Views
5
Helpful
6
Replies

NAT Exempt rule

whiteford
Level 1
Level 1

Hi,

I just need someones advise on the adding a NAT exempt rle on my ASA 5520.

If I add an exempt from an IP to another IP it works, if I add a NAT exempt for a group name to a group range it won't work.

I am using the ASDM and I have created a group for a range of IP addresses and another group for some other IP ranges.

Are there any particular methods I should be following here? If I add all the exempt rules individually then they all work.

6 Replies 6

oabduo983
Level 1
Level 1

In the IP to IP you use static, but for a network to network you can use static but you will have to hardcode the netmask to whatever the network is, for example:

static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

otherwise, if you do not specify the netmask it will take the default which is 255.255.255.255.

for a particular group of IP addresses, you may use policy natting or identity nat

Policy Nat:

access-list test permit ip 10.10.10.0 255.255.255.0 any

access-list test permit ip 10.20.20.0 255.255.255.0 any

access-list test permit ip 10.30.30.0 255.255.255.0 any

nat (inside) 0 access-list test

Identity NAT

nat (inside) 0 10.10.10.0 255.255.255.0

nat (inside) 0 10.20.20.0 255.255.255.0

nat (inside) 0 10.30.30.0 255.255.255.0

this should work fine...

please vote for me if it is helpful!

tHANKS FOR THE VAL INFO. lATER

Thanks, what is the NAT Exempt used for?

For example if I have 5 IP address of servers that I didn't want to get NAT'ed between an interface (DMZ) to a network range, how would I fo this?

Example

192.168.1.1/32

192.168.1.2/32

192.168.1.3/32

192.168.1.4/32

192.168.1.5/32

Not to get NAT'ed to

172.16.0.0/16 (DMZ interface)

There are a couple ways of performing this

Assuming the network range (inside)connections initiated to 172.06.0.0/16 network in the DMZ range

Nat exemption

access-list exemptrffc permit ip 192.168.1.0 255.255.255.248 172.16.0.0 255.255.0.0

nat (inside)0 access-list exempttrffc

nat (inside) 1

global (outside) 1 interface

This will provide nat exemption for any traffic srced from 192.168.1/29 initiated to 172.16.0.0 /16

while all other inside traffic will be patted to the outside interface address

Nat exemptions are always performed first in the NAT order of operations

One last note: With NAT exemption you can initiate both inbound or outbound connections

Thanks for your NAT Exempt example, how would I do this for say individual IP's only to the DMZ like:

192.168.1.10

192.168.1.150

192.168.1.225

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: