How to NAT by default with exceptions (ASA)

Unanswered Question
May 19th, 2010

Hi Guys,

I have an ASA 5510 (OS 7.0.2) that seperates a remote access subnet from a ecommerce subnet.

What I want to implement is configuration that says, by default, NAT from the remote access subnet is not required however some specific addresses need to be NAT'd.

I am thinking of implementing the following confg but I'm not certain it will work and I do not have a test environment to test in:

! By default, traffic is NAT'd to

nat (remote_access_if) 1

global (ecommerce_subnet_if) 1

! Specified traffic not to NAT

access-list NAT_EXCEPTIONS extended permit ip and

access-list NAT_EXCEPTIONS extended permit ip and

! Do not NAT specified traffic

nat (remote_access_if) 2 access-list NAT_EXCEPTIONS

global (ecommerce_subnet_if) 2

My fear is this will NAT traffic I dont want NAT'd to

Can anyone confirm if my config suitable to meet my objectives?




I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Jennifer Halim Thu, 05/20/2010 - 01:14

NAT exemption (NAT 0 with ACL) takes precedence over the dynamic NAT, hence you can't configure a generic ACL with the whole subnet to be exempted.

global (ecommerce_subnet_if)  2 ---> this is incorrect statement. You can't configure global with, and nat and global pair is actually configured to NAT the traffic.

If you can share the interface subnet of both remote and ecommerce as well as the security level configured for each interface, plus what ip you would like to NAT and to NAT it to what ip address, as well as what you do not want to NAT, then I can try to put something together if it is possible.

Scott Cannon Thu, 05/20/2010 - 15:54

Hi Halijen,

Thanks for your response. I figured I'd have to list all the exceptions under nat 0, but there are quite a few so I'm hoping there is another way to do this.

Here is the detail you requested:

interface Ethernet0/2.1
nameif REMOTE

security-level 10

By default, traffic should not be NAT'd coming from this interface, however there are some key IPs that I need to NAT (eg. NAT'd to and NAT'd to

interface Ethernet0/3.2
security-level 20

If you know of a workaround I would really appreciate you sharing it with me.

Thanks in advance



Jennifer Halim Fri, 05/21/2010 - 19:02

OK, so you would like to NAT from low security level to high security level. And traffic is between to and

To start with, I assume you already have the following configured:

access-list ecommerce-nonat permit ip

access-list ecommerce-nonat permit ip

nat (ECOMMERCE) 0 access-list ecommerce-nonat

In regards to what you would like to achieve, then you would need to add the following:

access-list remote-pat-1 permit ip

access-list remote-pat-2 permit ip

nat (REMOTE) 5 access-list remote-pat-1 outside

global (ECOMMERCE) 5

nat (REMOTE) 6 access-list remote-pat-2 outside

global (ECOMMERCE) 6

Hope that makes sense.

Scott Cannon Tue, 05/25/2010 - 22:09

Hi Halijen,

I'm still a little confused. Perhaps you can answer another question for me that would help further my understanding.

Of the following 3 types of nat rules, what order does the ASA process them in? Ie. What has priority? Does a static rule take precedence over global rules?

Exception rule eg:

nat (if) 0 access-list list

global (if) 0 NAT_IP_address

Global Rules eg:

nat (if) # access-list list

global (if) # NAT_IP_address

Static Rules eg:

Static (if, NAT if) NAT_if source_IP netmask mask

I'm sure if I can better understand how the unit handles NAT I can ensure I'm asking and expecting the right questions/information.

Thanks in advance



Jennifer Halim Wed, 05/26/2010 - 02:52

Federico is correct.

Here is the order of operation:

1) NAT 0 with ACL - NAT exemption

2) Static NAT

3) Dynamic NAT - nat/global pair

The above is correct for source NAT (traffic from high to low security level).

For destination NAT (ie: NATing traffic from low to high security level), for dynamic NAT, you would need to add the "outside" keyword, plus you also need to have source NAT as per my example earlier.

Scott Cannon Wed, 05/26/2010 - 19:45

Thanks Gents. I will do some testing and let you know how I go




This Discussion