Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1528
Views
5
Helpful
6
Replies

NAT Exempt rule

whiteford
Level 1
Level 1

‎02-12-2009 07:48 AM - edited ‎03-11-2019 07:49 AM

Hi,

I just need someones advise on the adding a NAT exempt rle on my ASA 5520.

If I add an exempt from an IP to another IP it works, if I add a NAT exempt for a group name to a group range it won't work.

I am using the ASDM and I have created a group for a range of IP addresses and another group for some other IP ranges.

Are there any particular methods I should be following here? If I add all the exempt rules individually then they all work.

Labels:
0 Helpful
6 Replies 6

oabduo983
Level 1
Level 1

‎02-12-2009 12:16 PM

In the IP to IP you use static, but for a network to network you can use static but you will have to hardcode the netmask to whatever the network is, for example:

static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

otherwise, if you do not specify the netmask it will take the default which is 255.255.255.255.

for a particular group of IP addresses, you may use policy natting or identity nat

Policy Nat:

access-list test permit ip 10.10.10.0 255.255.255.0 any

access-list test permit ip 10.20.20.0 255.255.255.0 any

access-list test permit ip 10.30.30.0 255.255.255.0 any

nat (inside) 0 access-list test

Identity NAT

nat (inside) 0 10.10.10.0 255.255.255.0

nat (inside) 0 10.20.20.0 255.255.255.0

nat (inside) 0 10.30.30.0 255.255.255.0

this should work fine...

please vote for me if it is helpful!

sdoremus33
Level 3
Level 3
In response to oabduo983

‎02-12-2009 01:02 PM

tHANKS FOR THE VAL INFO. lATER

0 Helpful

whiteford
Level 1
Level 1
In response to oabduo983

‎02-12-2009 01:19 PM

Thanks, what is the NAT Exempt used for?

For example if I have 5 IP address of servers that I didn't want to get NAT'ed between an interface (DMZ) to a network range, how would I fo this?

Example

192.168.1.1/32

192.168.1.2/32

192.168.1.3/32

192.168.1.4/32

192.168.1.5/32

Not to get NAT'ed to

172.16.0.0/16 (DMZ interface)

0 Helpful

sdoremus33
Level 3
Level 3
In response to whiteford

‎02-12-2009 07:58 PM

There are a couple ways of performing this

Assuming the network range (inside)connections initiated to 172.06.0.0/16 network in the DMZ range

Nat exemption

access-list exemptrffc permit ip 192.168.1.0 255.255.255.248 172.16.0.0 255.255.0.0

nat (inside)0 access-list exempttrffc

nat (inside) 1

global (outside) 1 interface

This will provide nat exemption for any traffic srced from 192.168.1/29 initiated to 172.16.0.0 /16

while all other inside traffic will be patted to the outside interface address

Nat exemptions are always performed first in the NAT order of operations

0 Helpful

sdoremus33
Level 3
Level 3
In response to sdoremus33

‎02-12-2009 08:02 PM

One last note: With NAT exemption you can initiate both inbound or outbound connections

0 Helpful

whiteford
Level 1
Level 1
In response to sdoremus33

‎02-13-2009 12:28 AM

Thanks for your NAT Exempt example, how would I do this for say individual IP's only to the DMZ like:

192.168.1.10

192.168.1.150

192.168.1.225

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card