I have a device on dmz2 that the company apparently does nat for us. I've tried to exempt nat traffic, but it's not working. My dmz interface is 10.45.127.66, and they said that I can source from that address. I've thought about natting the connection, so I need some clarification:
I have the following:
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list NONAT
nat (INSIDE) 1 10.128.0.0 255.255.0.0
access-list NONAT line 2 extended permit ip 10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0
The device in question is in dmz2: 10.45.127.6
My routes point to that device for their specified subnet. The problem that I have is figuring out how to nat this one connection, and if what I'm thinking will break other things:
global (dmz2) 45 interface
nat (inside) 45 10.128.0.0 255.255.0.0
nat (inside) 45 10.1.0.0 255.255.0.0
access-list NONAT line 1 extended permit ip 10.125.0.0 255.255.0.0 10.45.0.0 255.255.0.0
<b>access-list NONAT line 2 extended deny ip 10.128.0.0 255.255.0.0 10.45.137.0 255.255.255.0
access-list NONAT line 2 extended deny ip 10.1.0.0 255.255.0.0 10.45.137.0 255.255.255.0</b>
access-list NONAT line 3 extended permit ip 10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0
access-list NONAT line 4 extended permit ip 10.129.0.0 255.255.0.0 10.45.0.0 255.255.0.0
These are my proposed changes, but I wanted to verify my thinking. The 10.128.0.0 subnet, when using nat, will still nat out depending on the exit interface they use, correct? So, the nat exemption is the thing that I'm really questioning, or should I create a static translation for them, and will the static take precedence over nat exemption?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...