Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

How to NAT by default with exceptions (ASA)

Hi Guys,

I have an ASA 5510 (OS 7.0.2) that seperates a remote access subnet from a ecommerce subnet.

What I want to implement is configuration that says, by default, NAT from the remote access subnet is not required however some specific addresses need to be NAT'd.

I am thinking of implementing the following confg but I'm not certain it will work and I do not have a test environment to test in:

! By default, traffic is NAT'd to

nat (remote_access_if) 1

global (ecommerce_subnet_if) 1

! Specified traffic not to NAT

access-list NAT_EXCEPTIONS extended permit ip and

access-list NAT_EXCEPTIONS extended permit ip and

! Do not NAT specified traffic

nat (remote_access_if) 2 access-list NAT_EXCEPTIONS

global (ecommerce_subnet_if) 2

My fear is this will NAT traffic I dont want NAT'd to

Can anyone confirm if my config suitable to meet my objectives?




Cisco Employee

Re: How to NAT by default with exceptions (ASA)

NAT exemption (NAT 0 with ACL) takes precedence over the dynamic NAT, hence you can't configure a generic ACL with the whole subnet to be exempted.

global (ecommerce_subnet_if)  2 ---> this is incorrect statement. You can't configure global with, and nat and global pair is actually configured to NAT the traffic.

If you can share the interface subnet of both remote and ecommerce as well as the security level configured for each interface, plus what ip you would like to NAT and to NAT it to what ip address, as well as what you do not want to NAT, then I can try to put something together if it is possible.

New Member

Re: How to NAT by default with exceptions (ASA)

Hi Halijen,

Thanks for your response. I figured I'd have to list all the exceptions under nat 0, but there are quite a few so I'm hoping there is another way to do this.

Here is the detail you requested:

interface Ethernet0/2.1
nameif REMOTE

security-level 10

By default, traffic should not be NAT'd coming from this interface, however there are some key IPs that I need to NAT (eg. NAT'd to and NAT'd to

interface Ethernet0/3.2
security-level 20

If you know of a workaround I would really appreciate you sharing it with me.

Thanks in advance



Cisco Employee

Re: How to NAT by default with exceptions (ASA)

OK, so you would like to NAT from low security level to high security level. And traffic is between to and

To start with, I assume you already have the following configured:

access-list ecommerce-nonat permit ip

access-list ecommerce-nonat permit ip

nat (ECOMMERCE) 0 access-list ecommerce-nonat

In regards to what you would like to achieve, then you would need to add the following:

access-list remote-pat-1 permit ip

access-list remote-pat-2 permit ip

nat (REMOTE) 5 access-list remote-pat-1 outside

global (ECOMMERCE) 5

nat (REMOTE) 6 access-list remote-pat-2 outside

global (ECOMMERCE) 6

Hope that makes sense.

New Member

Re: How to NAT by default with exceptions (ASA)

Hi Halijen,

I'm still a little confused. Perhaps you can answer another question for me that would help further my understanding.

Of the following 3 types of nat rules, what order does the ASA process them in? Ie. What has priority? Does a static rule take precedence over global rules?

Exception rule eg:

nat (if) 0 access-list list

global (if) 0 NAT_IP_address

Global Rules eg:

nat (if) # access-list list

global (if) # NAT_IP_address

Static Rules eg:

Static (if, NAT if) NAT_if source_IP netmask mask

I'm sure if I can better understand how the unit handles NAT I can ensure I'm asking and expecting the right questions/information.

Thanks in advance



Re: How to NAT by default with exceptions (ASA)


The exception rule that you added is incorrect.

You only need the NAT statement. There's no global 0 statement for identity NAT.

The STATIC NAT rules take precedence over the dynamic NAT rules.

Look at the order of NAT precedence on the ASA:

Hope to help.


Cisco Employee

Re: How to NAT by default with exceptions (ASA)

Federico is correct.

Here is the order of operation:

1) NAT 0 with ACL - NAT exemption

2) Static NAT

3) Dynamic NAT - nat/global pair

The above is correct for source NAT (traffic from high to low security level).

For destination NAT (ie: NATing traffic from low to high security level), for dynamic NAT, you would need to add the "outside" keyword, plus you also need to have source NAT as per my example earlier.

New Member

Re: How to NAT by default with exceptions (ASA)

Thanks Gents. I will do some testing and let you know how I go



CreatePlease to create content