Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA NAT Exempt Rule

Hi,

Based on the attached diagram, i want to allow network monitoring server to monitor the remote branches routers, can i configure the ASA to allow traffic from monitoring server to branches routers without perform NAT ? if not, are there any way for us to achieve the objective ?

Thanks in advance.

4 REPLIES
Hall of Fame Super Blue

Re: ASA NAT Exempt Rule

Hi

Yes as long as the server IP address 2.2.2.2 is routable across your wan and is not used anywhere else this should be no problem at all.

It's not clear from your diagram what the addressing scheme is but as long as the remote sites route 2.2.2.2 back to HQ you should be fine.

HTH

Jon

New Member

Re: ASA NAT Exempt Rule

I've tested the configuration with the below command, but it still not working.

nat (outside) 0 access-list outside_nat0_inbound

access-list outside_nat0_inbound extended permit ip host 2.2.2.2 host 1.1.1.1

access-list outside_nat0_inbound extended permit ip host 2.2.2.2 host 1.1.1.1

I've check the firewall log and below is the error log,

No translation group found for icmp src outside: 2.2.2.2 dst inside:1.1.1.1 (type 8, code 0)

Any ideas ?

Hall of Fame Super Blue

Re: ASA NAT Exempt Rule

Hi

I actually misread your diagram at first. The monitoring server is on the outside. You should not have to worry about a translation for 2.2.2.2.

If you did have to use a nat statement for every host on the outside of an ASA it woudl be very difficult to use it as an internet firewall :)

Do you have translations set up for the inside servers eg.

static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

Jon

New Member

Re: ASA NAT Exempt Rule

Hi Jon,

All for the remote routers are located within "inside" network, the monitoring server is located at "outside" network. I'll test the suggested command, but the command only applicable to one single host/router, how about the rest of the remote routers ?

Thanks.

Beng Hock

972
Views
2
Helpful
4
Replies