10-05-2011 08:10 AM - edited 03-11-2019 02:34 PM
I have looked in the books I have (Cisco ASA, PIX and FWSM; ASA 8.0) and googled a good bit but can't seem to find any specific mention of how to do NAT exemption with v8.4. It seems NAT exemption (NAT 0 access-list) was deprecated. Using ASDM, there's no corresponding menu item for this that is obvious.
We have public addresses inside the ASA and want to allow in/outbound connections using these IP's without NAT. The ASA is a 5550.
Solved! Go to Solution.
10-05-2011 09:13 AM
For Static nat:
static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255
becomes:
object network obj_test
host 192.168.1.5
nat (inside,outside) source static obj_test obj-test ------------> Manual nat
or
object network obj_test
host 192.168.1.5
nat (inside,outside) static 192.168.1.5 ------------> Auto nat (this is done inside the object only)
Nat exemption:
access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any
nat(inside) 0 access-list exempt1
becomes:
object network obj_test1
subnet 192.168.1.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,any) source static obj_test1 obj_test1 destination static obj_any obj_any
I hope I was able to clear your doubts.
Thanks,
Varun
10-05-2011 08:21 AM
10-05-2011 08:23 AM
Also, you would find good docs on the support forum as well, like these:
https://supportforums.cisco.com/docs/DOC-9129#comment-3934
Video:
https://supportforums.cisco.com/docs/DOC-12324
Thanks,
Varun
10-05-2011 08:54 AM
The pdf is a good document to have so thanks for putting it up, but there's nothing in it on NAT exemption. I have seen all these documents and none discuss NAT exemption (NAT 0 access-list).
Specifically, how do you move from either of these 2 methods used to avoid NAT:
static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255
(note: the IP's involved here are actually public IP's, not private)
OR
access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any
nat(inside) 0 access-list exempt1
to 8.3 or higher NAT notation?
10-05-2011 09:00 AM
Then, this might be what you are looking for:
https://supportforums.cisco.com/docs/DOC-11639
Hope that helps,
Varun
10-05-2011 09:13 AM
For Static nat:
static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255
becomes:
object network obj_test
host 192.168.1.5
nat (inside,outside) source static obj_test obj-test ------------> Manual nat
or
object network obj_test
host 192.168.1.5
nat (inside,outside) static 192.168.1.5 ------------> Auto nat (this is done inside the object only)
Nat exemption:
access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any
nat(inside) 0 access-list exempt1
becomes:
object network obj_test1
subnet 192.168.1.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,any) source static obj_test1 obj_test1 destination static obj_any obj_any
I hope I was able to clear your doubts.
Thanks,
Varun
10-05-2011 09:41 AM
Many thanks. I have to add my vote to those who say this new syntax in 8.3+ is not great but so what, we have to adapt to it.
10-05-2011 09:44 AM
Sure, thanks I work with the 8.3 nat day in and day out and I feel it is far better than the earlier ones, it seems more logical, although yes there might be some things like creating objects but overall its a thumbs up from me.
Cheers,
Varun
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: