NAT Exception

Answered Question
Mar 8th, 2009

If I have 20 hosts in a subnet and I would like to exempt only 2 hosts from NAT'ing, how can it be acheived in FWSM/ASA.

Thanks.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 9 months ago

object-group network clients

network-object host 192.168.5.10

network-object host 192.168.5.11

access-list nonat permit ip object-group clients any

nat (inside) 0 access-list nonat

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Sun, 03/08/2009 - 14:50

object-group network clients

network-object host 192.168.5.10

network-object host 192.168.5.11

access-list nonat permit ip object-group clients any

nat (inside) 0 access-list nonat

Jon

cisco_lite Sun, 03/08/2009 - 15:17

Currently NAT is enabled bidirectionally between OUTSIDE & INSIDE.

If I am configuring NAT exemption for hosts on the outside interface, will NAT 0 command be applied only to outside interface or even inside.

cisco_lite Mon, 03/09/2009 - 06:24

Well, I tried applying to both the interfaces, but it is not working.

Please advise.

Jon Marshall Mon, 03/09/2009 - 06:47

Nat exemption should take precedence over all forms of NAT. Are you trying to exempt addresses as they go from inside to outside or outside to inside.

Also after adding the nat exempt rule did you clear xlate on any existing translations for those hosts ?

Jon

cisco_lite Mon, 03/09/2009 - 07:27

I am trying to exempt both ways - bidirectionally across two interfaces i.e. INSIDE and OUTSIDE. How would the NAT exempt configuration be in this case.

Yes, I did clear xlate while testing.

Jon Marshall Mon, 03/09/2009 - 08:11

Okay, NAT exemption should be bi-directional.. Try this config instead

nat (inside) 0 192.168.5.10 255.255.255.255

nat (inside) 0 192.168.5.11 255.255.255.255

Jon

cisco_lite Mon, 03/09/2009 - 10:26

Jon,

Are you suggesting identity nat over nat exemption. If so, why is that.

Please explain why is it only applied to inside interface only and not outside and how will it serve bi-directionally.

Thanks.

Jon Marshall Mon, 03/09/2009 - 10:34

"Are you suggesting identity nat over nat exemption. If so, why is that"

No, the first solution i gave was just more complicated than it needed to be (i do that sometimes !).

All you want is to just exempt 2 host addresses from NAT so the second example i sent is simply that - 2 nat exemptions.

It only needs to be applied to one interface because it is bi-directional. If it wasn't bi-directional then yes you would need to apply it to both interfaces.

Jon

cisco_lite Mon, 03/09/2009 - 11:08

I have tried all the above after clearing specific xlate entry but no success. I will mention my example again

FWSM:

DMZ (Interface) : Security Level 75

OUTSIDE (Interface) : Security Level 0

NATing (bi-directional) is enabled for all hosts on OUTSIDE subnet (10.10.10.0/24) when communicating over DMZ interface. NATed network is 20.20.20.0/24. Now, I would like to exempt 10.10.10.50 and 10.10.10.51 from being NAT'ed to 20.20.20.50 and 20.20.20.51.

The current static NAT entry on FWSM is

static (OUTSIDE,DMZ) 20.20.20.0 10.10.10.0 netmask 255.255.255.0

Thanks.

Jon Marshall Mon, 03/09/2009 - 11:47

So can you modify the example earlier or have you already tried this ie.

nat (DMZ) 0 10.10.10.50

nat (DMZ) 0 10.10.10.51

Jon

cisco_lite Mon, 03/09/2009 - 12:53

I have tried this as well. It defaults to classful subnet i.e. 10.0.0.0 / 16 with nat 0 command. The xlate gets populated with the NAT'ed global and actual local. NAT exemption is not taking place.

Thanks.

Jon Marshall Mon, 03/09/2009 - 13:57

Sorry, that should have been

nat (DMZ) 0 10.10.10.50 255.255.255.255

nat (DMZ) 0 10.10.10.51 255.255.255.255

Edit - if the above stil doesn't work then the next thing to try is nat on the outside interface ie.

nat (outside) 0 10.10.10.50 255.255.255.255 outside

nat (outside) 0 10.10.10.51 255.255.255.255 outside

Jon

cisco_lite Tue, 03/10/2009 - 14:16

Hi Jon,

The NAT issue is still not solved. I have tried both the suggestions above still the same. I then used a sniffer to verify that NAT'ing is still taking place from and to these hosts and not exempted. Seems complicated.

Please assist.

Thanks.

cisco_lite Fri, 03/13/2009 - 15:29

Thanks a bunch Jon.

I decided to go by static host based NATs rather than NAT Exemption. Couldn't wait more.

Actions

This Discussion