Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Help me understand CCO documentation re NAT exemption

Hi - In the ASA configuration guide for NAT, version 8.2 code, it states the following when referring to NAT exemption;

" Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. "

To me, this says that if I specify a host or a network in an ACL and tie that to the "nat 0 access-list" command, then I cannot then NAT that same host or network.

Our firewall has numerous NAT exemption rules on the inside interface for traffic to the DMZ and some to the outside (VPN subnets) but at the end of all the NAT statements, is one that matches any, and overloads it to the outside interface.

What we are doing works, but contradicts what I understand from the documentation.

Can anyone help me understand what the doumentation means with regards to the statement above?

Many Thanks in advance


Cisco Employee

Help me understand CCO documentation re NAT exemption

Hi Dom,

The statement you're referencing is explaining that NAT exemption through the NAT 0 command is only applied to the ingress interface, and it will take effect for all egress interfaces. For example, say you have the following config:

access-list nat0-acl permit ip host host

nat (inside) 0 access-list nat0-acl

The above config will perform NAT exemption for all IP traffic from to This is regardless of whether lives off the outside interface or the DMZ interface. We only care about the interface the packet arrives on and the egress interface is never specified.

This is different from your normal dynamic NAT statements, which pair an ingress and egress interface. For example:

nat (inside) 1

global (outside) 1

global (dmz) 1

With the above config, the network will be dynamically PAT'ed to when it talks to hosts on the outside interface. However, it will be dynamically PAT'ed to when it talks to hosts on the dmz interface.

Your config works because the ASA processes NAT 0 exemptions first, followed by the rest of the dynamic nat/global pairs in order. So, if a packet doesn't match any of your NAT exemption rules, it will fall through to your dynamic PAT (overload) statement that translates it to the outside interface IP.


CreatePlease to create content