cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
569
Views
0
Helpful
3
Replies

Identity nat

sushil
Level 1
Level 1

Hi,

Cisco Guide says that "when you configure Identity Nat or exempt nat,You do not limit translation for a host on specific interfaces;you must choose identity nat for all the connections thorugh all the interfaces.Hence you cannot choose normal translations on real addresses when you access int A,but use identity when accessing int B."

1.Simply not able to understand at all what does that mean.Say a n/w of 192.168.0.0 255.255.0.0

Identity nat Will be like nat(inside) 0 192.168.0.0 255.255.0.0

and also patted like

nat(inside)1 192.168.0.0 255.255.0.0

Global(ouside)1 interface

Where does the significance of interface A and B comes?

2. Exmept nat.

I have config like;

nat(inside)1 192.168.0.0 255.255.0.0

Global(ouside)1 interface

Internet works fine.

Now I use exempt on same i.e

access list inside_outbound permit ip 192.168.0.0 255.255.0.0 any

nat (inside) 0 access-list inside_outbound.

Will this block the internet access?

Reg,

Sushil

1 Accepted Solution

Accepted Solutions

Fo Eg. Say

nat(inside) 0 192.168.0.0 255.255.0.0

Here the traffic from 192.168.0.0/16 will be sent as it is without NAT, to both outside and any other DMZ interfaces if present.

View solution in original post

3 Replies 3

naveen_b81
Level 1
Level 1

1) What the statement means is that the identity nat

nat (inside) 0 XXXX

cannot be seperated by outbound interfaces (unless you use an access-list specifying the destination subnets)

2) If you do that your internet access will be lost as nat (inside) 0 takes precedence over nat (inside) 1. However if you change the destination from any to specific subnets in the access-list it should not cause a problem.

Naveen,

ok with 2nd answer.Not able to understand what does mean by separated in by outbound interfaces.

Reg,

Sushil

Fo Eg. Say

nat(inside) 0 192.168.0.0 255.255.0.0

Here the traffic from 192.168.0.0/16 will be sent as it is without NAT, to both outside and any other DMZ interfaces if present.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: