NAT Exception

Answered Question
Mar 8th, 2009
User Badges:

If I have 20 hosts in a subnet and I would like to exempt only 2 hosts from NAT'ing, how can it be acheived in FWSM/ASA.


Thanks.

Correct Answer by Jon Marshall about 8 years 3 months ago

object-group network clients

network-object host 192.168.5.10

network-object host 192.168.5.11


access-list nonat permit ip object-group clients any


nat (inside) 0 access-list nonat


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Sun, 03/08/2009 - 14:50
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

object-group network clients

network-object host 192.168.5.10

network-object host 192.168.5.11


access-list nonat permit ip object-group clients any


nat (inside) 0 access-list nonat


Jon

cisco_lite Sun, 03/08/2009 - 15:17
User Badges:


Currently NAT is enabled bidirectionally between OUTSIDE & INSIDE.


If I am configuring NAT exemption for hosts on the outside interface, will NAT 0 command be applied only to outside interface or even inside.

cisco_lite Mon, 03/09/2009 - 06:24
User Badges:

Well, I tried applying to both the interfaces, but it is not working.


Please advise.

Jon Marshall Mon, 03/09/2009 - 06:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Nat exemption should take precedence over all forms of NAT. Are you trying to exempt addresses as they go from inside to outside or outside to inside.


Also after adding the nat exempt rule did you clear xlate on any existing translations for those hosts ?


Jon

cisco_lite Mon, 03/09/2009 - 07:27
User Badges:

I am trying to exempt both ways - bidirectionally across two interfaces i.e. INSIDE and OUTSIDE. How would the NAT exempt configuration be in this case.


Yes, I did clear xlate while testing.

Jon Marshall Mon, 03/09/2009 - 08:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Okay, NAT exemption should be bi-directional.. Try this config instead


nat (inside) 0 192.168.5.10 255.255.255.255

nat (inside) 0 192.168.5.11 255.255.255.255


Jon

cisco_lite Mon, 03/09/2009 - 10:26
User Badges:


Jon,


Are you suggesting identity nat over nat exemption. If so, why is that.


Please explain why is it only applied to inside interface only and not outside and how will it serve bi-directionally.


Thanks.

Jon Marshall Mon, 03/09/2009 - 10:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

"Are you suggesting identity nat over nat exemption. If so, why is that"


No, the first solution i gave was just more complicated than it needed to be (i do that sometimes !).


All you want is to just exempt 2 host addresses from NAT so the second example i sent is simply that - 2 nat exemptions.


It only needs to be applied to one interface because it is bi-directional. If it wasn't bi-directional then yes you would need to apply it to both interfaces.


Jon

cisco_lite Mon, 03/09/2009 - 11:08
User Badges:


I have tried all the above after clearing specific xlate entry but no success. I will mention my example again


FWSM:

DMZ (Interface) : Security Level 75

OUTSIDE (Interface) : Security Level 0


NATing (bi-directional) is enabled for all hosts on OUTSIDE subnet (10.10.10.0/24) when communicating over DMZ interface. NATed network is 20.20.20.0/24. Now, I would like to exempt 10.10.10.50 and 10.10.10.51 from being NAT'ed to 20.20.20.50 and 20.20.20.51.


The current static NAT entry on FWSM is


static (OUTSIDE,DMZ) 20.20.20.0 10.10.10.0 netmask 255.255.255.0


Thanks.

Jon Marshall Mon, 03/09/2009 - 11:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

So can you modify the example earlier or have you already tried this ie.


nat (DMZ) 0 10.10.10.50

nat (DMZ) 0 10.10.10.51


Jon

cisco_lite Mon, 03/09/2009 - 12:53
User Badges:


I have tried this as well. It defaults to classful subnet i.e. 10.0.0.0 / 16 with nat 0 command. The xlate gets populated with the NAT'ed global and actual local. NAT exemption is not taking place.


Thanks.

Jon Marshall Mon, 03/09/2009 - 13:57
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sorry, that should have been


nat (DMZ) 0 10.10.10.50 255.255.255.255

nat (DMZ) 0 10.10.10.51 255.255.255.255


Edit - if the above stil doesn't work then the next thing to try is nat on the outside interface ie.


nat (outside) 0 10.10.10.50 255.255.255.255 outside

nat (outside) 0 10.10.10.51 255.255.255.255 outside


Jon

cisco_lite Tue, 03/10/2009 - 14:16
User Badges:

Hi Jon,


The NAT issue is still not solved. I have tried both the suggestions above still the same. I then used a sniffer to verify that NAT'ing is still taking place from and to these hosts and not exempted. Seems complicated.


Please assist.


Thanks.

Jon Marshall Tue, 03/10/2009 - 14:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Can you post full config of the FWSM.


Jon

cisco_lite Fri, 03/13/2009 - 15:29
User Badges:

Thanks a bunch Jon.


I decided to go by static host based NATs rather than NAT Exemption. Couldn't wait more.

Actions

This Discussion