identity static NAT and PAT

Unanswered Question
Jul 19th, 2010

access-list IDENT-STATIC extended permit ip object-group X object-group Y
global (outside) 9 x.x.x.x
nat (inside) 9 x.x.x.x dns
static (inside,outside) x.x.x.0  access-list IDENT-STATIC

I have the following configuration above which works fine but an issue has come up in which I need to see if it is possible or not to work around.  Group X is an internal network of users on RFC1918 space and object-group Y is also an internal network that is on public ip's.  So basically they are identity natted if they reach any host on the Y network and are PAT'ed if they go elsewhere.  What I need to do if possible is allow all the computers in object-group x to reach one host in object-group Y without being NAT'ed.  The host they need to reach is already a part of the network in object-group Y.  Is there a way to exclude a host from being NAT'ed before this statement is processed?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nagaraja Thanthry Mon, 07/19/2010 - 20:30


You can try NAT-0 configuration.

Access-list nonat permit ip x.x.x.0 host y.y.y.a

Nat (inside) 0 access-list nonat

Hope this helps.



esossamon Mon, 07/19/2010 - 20:37

Sorry I should have said I want the hosts in network X to be NAT'ed when they are trying to reach that one host in object-group Y

Jitendriya Athavale Mon, 07/19/2010 - 23:31

let y.y.y.y be the host to which when users in x access after natting

we can use variable subnetting

if you are ok to change this ip to something else

i mean all those hosts in y network which need to accessed by x without natting in one subnet say y.y.y.0 as this is the max you can go to divide them equally into 2 parts

and the host which needs the x to be natted in y.y.y.128 subnet

and then you can modify access-list and nat stements accordingly

Jitendriya Athavale Tue, 07/20/2010 - 05:00

forgot to mention one more thing

can you use nat exempt instead of identity nat

and in the nat exempt you can deny the traffic which needs to be natted

Nagaraja Thanthry Tue, 07/20/2010 - 05:27


As Jathaval has said, with the way you have configured, it is not possible to NAT when you are accessing one specific device in the y.y.y.0 subnet. However, you could modify your configuration and use NAT-0 instead of identity NAT and make it work. You do need to remember that when you remove identity and configure NAT-0, you will loose the ability to initiate connection from y.y.y.0 side to x.x.x.0 side.

access-list nonat deny ip x.x.x.0 host y.y.y.y

access-list nonat permit ip x.x.x.0 y.y.y.0

nat (inside) 0 access-list nonat

Other option is to change the IP of y.y.y.y host as it appears to the firewall. If you have another router between the firewall and y.y.y.0 subnet, then you could configure the router such that the host y.y.y.y appears as z.z.z.z for the ASA. That makes our life simple as you do not need to make any changes to the existing configuration. Only thing will be that your x.x.x.0 users will be accessing z.z.z.z address instead of y.y.y.y address.

Hope this helps.




This Discussion