Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
442
Views
1
Helpful
1
Replies

Help me understand CCO documentation re NAT exemption

d-fillmore
Level 2
Level 2

‎02-22-2012 06:39 AM - edited ‎03-11-2019 03:33 PM

Hi - In the ASA configuration guide for NAT, version 8.2 code, it states the following when referring to NAT exemption;

" Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. "

To me, this says that if I specify a host or a network in an ACL and tie that to the "nat 0 access-list" command, then I cannot then NAT that same host or network.

Our firewall has numerous NAT exemption rules on the inside interface for traffic to the DMZ and some to the outside (VPN subnets) but at the end of all the NAT statements, is one that matches any, and overloads it to the outside interface.

What we are doing works, but contradicts what I understand from the documentation.

Can anyone help me understand what the doumentation means with regards to the statement above?

Many Thanks in advance

Dom

Labels:
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎02-29-2012 12:47 PM

Hi Dom,

The statement you're referencing is explaining that NAT exemption through the NAT 0 command is only applied to the ingress interface, and it will take effect for all egress interfaces. For example, say you have the following config:

access-list nat0-acl permit ip host 10.1.1.1 host 192.168.1.1

nat (inside) 0 access-list nat0-acl

The above config will perform NAT exemption for all IP traffic from 10.1.1.1 to 192.168.1.1. This is regardless of whether 192.168.1.1 lives off the outside interface or the DMZ interface. We only care about the interface the packet arrives on and the egress interface is never specified.

This is different from your normal dynamic NAT statements, which pair an ingress and egress interface. For example:

nat (inside) 1 10.2.2.0 255.255.255.0

global (outside) 1 192.168.2.2

global (dmz) 1 192.168.3.3

With the above config, the 10.2.2.0/24 network will be dynamically PAT'ed to 192.168.2.2 when it talks to hosts on the outside interface. However, it will be dynamically PAT'ed to 192.168.3.3 when it talks to hosts on the dmz interface.

Your config works because the ASA processes NAT 0 exemptions first, followed by the rest of the dynamic nat/global pairs in order. So, if a packet doesn't match any of your NAT exemption rules, it will fall through to your dynamic PAT (overload) statement that translates it to the outside interface IP.

-Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card