cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1255
Views
0
Helpful
7
Replies

v8.3 and above & NAT

Bob MacLean
Level 1
Level 1

I have looked in the books I have (Cisco ASA, PIX and FWSM; ASA 8.0) and googled a good bit but can't seem to find any specific mention of how to do NAT exemption with v8.4. It seems NAT exemption (NAT 0 access-list) was deprecated. Using ASDM, there's no corresponding menu item for this that is obvious.

We have public addresses inside the ASA and want to allow in/outbound connections using these IP's without NAT. The ASA is a 5550.

1 Accepted Solution

Accepted Solutions

For Static nat:

static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255

becomes:

object network obj_test

  host 192.168.1.5

nat (inside,outside) source static obj_test obj-test     ------------> Manual nat

or

object network obj_test

  host 192.168.1.5

  nat (inside,outside) static 192.168.1.5                         ------------> Auto nat (this is done inside the object only)

Nat exemption:

access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any

nat(inside) 0 access-list exempt1

becomes:

object network obj_test1

  subnet 192.168.1.0 255.255.255.0

object network obj_any

  subnet 0.0.0.0 0.0.0.0

nat (inside,any) source static obj_test1 obj_test1 destination static obj_any obj_any

I hope I was able to clear your doubts.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

7 Replies 7

varrao
Level 10
Level 10

Hi Bob,

You can refer to this doc, this might make it simple for you:

Hope that helps.

Varun

Let me know if you have any confusions.

Thanks,
Varun Rao

Also, you would find good docs on the support forum as well, like these:

https://supportforums.cisco.com/docs/DOC-9129#comment-3934

Video:

https://supportforums.cisco.com/docs/DOC-12324

Thanks,

Varun

Thanks,
Varun Rao

The pdf is a good document to have so thanks for putting it up, but there's nothing in it on NAT exemption. I have seen all these documents and none discuss NAT exemption (NAT 0 access-list).

Specifically, how do you move from either of these 2 methods used to avoid NAT:

static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255

(note: the IP's involved here are actually public IP's, not private)

OR

access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any

nat(inside) 0 access-list exempt1

to 8.3 or higher NAT notation?

Then, this might be what you are looking for:

https://supportforums.cisco.com/docs/DOC-11639

Hope that helps,

Varun

Thanks,
Varun Rao

For Static nat:

static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255

becomes:

object network obj_test

  host 192.168.1.5

nat (inside,outside) source static obj_test obj-test     ------------> Manual nat

or

object network obj_test

  host 192.168.1.5

  nat (inside,outside) static 192.168.1.5                         ------------> Auto nat (this is done inside the object only)

Nat exemption:

access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any

nat(inside) 0 access-list exempt1

becomes:

object network obj_test1

  subnet 192.168.1.0 255.255.255.0

object network obj_any

  subnet 0.0.0.0 0.0.0.0

nat (inside,any) source static obj_test1 obj_test1 destination static obj_any obj_any

I hope I was able to clear your doubts.

Thanks,

Varun

Thanks,
Varun Rao

Many thanks. I have to add my vote to those who say this new syntax in 8.3+ is not great but so what, we have to adapt to it.

Sure, thanks I work with the 8.3 nat day in and day out and I feel it is far better than the earlier ones, it seems more logical, although yes there might be some things like creating objects but overall its a thumbs up from me.

Cheers,

Varun

Thanks,
Varun Rao
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: