v8.3 and above & NAT

Answered Question
Oct 5th, 2011

I have looked in the books I have (Cisco ASA, PIX and FWSM; ASA 8.0) and googled a good bit but can't seem to find any specific mention of how to do NAT exemption with v8.4. It seems NAT exemption (NAT 0 access-list) was deprecated. Using ASDM, there's no corresponding menu item for this that is obvious.

We have public addresses inside the ASA and want to allow in/outbound connections using these IP's without NAT. The ASA is a 5550.

I have this problem too.
0 votes
Correct Answer by varrao about 2 years 6 months ago

For Static nat:

static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255

becomes:

object network obj_test

  host 192.168.1.5

nat (inside,outside) source static obj_test obj-test     ------------> Manual nat

or

object network obj_test

  host 192.168.1.5

  nat (inside,outside) static 192.168.1.5                         ------------> Auto nat (this is done inside the object only)

Nat exemption:

access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any

nat(inside) 0 access-list exempt1

becomes:

object network obj_test1

  subnet 192.168.1.0 255.255.255.0

object network obj_any

  subnet 0.0.0.0 0.0.0.0

nat (inside,any) source static obj_test1 obj_test1 destination static obj_any obj_any

I hope I was able to clear your doubts.

Thanks,

Varun

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
bobcismac Wed, 10/05/2011 - 08:54

The pdf is a good document to have so thanks for putting it up, but there's nothing in it on NAT exemption. I have seen all these documents and none discuss NAT exemption (NAT 0 access-list).

Specifically, how do you move from either of these 2 methods used to avoid NAT:

static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255

(note: the IP's involved here are actually public IP's, not private)

OR

access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any

nat(inside) 0 access-list exempt1

to 8.3 or higher NAT notation?

Correct Answer
varrao Wed, 10/05/2011 - 09:13

For Static nat:

static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255

becomes:

object network obj_test

  host 192.168.1.5

nat (inside,outside) source static obj_test obj-test     ------------> Manual nat

or

object network obj_test

  host 192.168.1.5

  nat (inside,outside) static 192.168.1.5                         ------------> Auto nat (this is done inside the object only)

Nat exemption:

access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any

nat(inside) 0 access-list exempt1

becomes:

object network obj_test1

  subnet 192.168.1.0 255.255.255.0

object network obj_any

  subnet 0.0.0.0 0.0.0.0

nat (inside,any) source static obj_test1 obj_test1 destination static obj_any obj_any

I hope I was able to clear your doubts.

Thanks,

Varun

bobcismac Wed, 10/05/2011 - 09:41

Many thanks. I have to add my vote to those who say this new syntax in 8.3+ is not great but so what, we have to adapt to it.

varrao Wed, 10/05/2011 - 09:44

Sure, thanks I work with the 8.3 nat day in and day out and I feel it is far better than the earlier ones, it seems more logical, although yes there might be some things like creating objects but overall its a thumbs up from me.

Cheers,

Varun

Actions

Login or Register to take actions

This Discussion

Posted October 5, 2011 at 8:10 AM
Stats:
Replies:7 Avg. Rating:5
Views:690 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446