Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Identity nat

Hi,

Cisco Guide says that "when you configure Identity Nat or exempt nat,You do not limit translation for a host on specific interfaces;you must choose identity nat for all the connections thorugh all the interfaces.Hence you cannot choose normal translations on real addresses when you access int A,but use identity when accessing int B."

1.Simply not able to understand at all what does that mean.Say a n/w of 192.168.0.0 255.255.0.0

Identity nat Will be like nat(inside) 0 192.168.0.0 255.255.0.0

and also patted like

nat(inside)1 192.168.0.0 255.255.0.0

Global(ouside)1 interface

Where does the significance of interface A and B comes?

2. Exmept nat.

I have config like;

nat(inside)1 192.168.0.0 255.255.0.0

Global(ouside)1 interface

Internet works fine.

Now I use exempt on same i.e

access list inside_outbound permit ip 192.168.0.0 255.255.0.0 any

nat (inside) 0 access-list inside_outbound.

Will this block the internet access?

Reg,

Sushil

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Identity nat

Fo Eg. Say

nat(inside) 0 192.168.0.0 255.255.0.0

Here the traffic from 192.168.0.0/16 will be sent as it is without NAT, to both outside and any other DMZ interfaces if present.

3 REPLIES
New Member

Re: Identity nat

1) What the statement means is that the identity nat

nat (inside) 0 XXXX

cannot be seperated by outbound interfaces (unless you use an access-list specifying the destination subnets)

2) If you do that your internet access will be lost as nat (inside) 0 takes precedence over nat (inside) 1. However if you change the destination from any to specific subnets in the access-list it should not cause a problem.

New Member

Re: Identity nat

Naveen,

ok with 2nd answer.Not able to understand what does mean by separated in by outbound interfaces.

Reg,

Sushil

New Member

Re: Identity nat

Fo Eg. Say

nat(inside) 0 192.168.0.0 255.255.0.0

Here the traffic from 192.168.0.0/16 will be sent as it is without NAT, to both outside and any other DMZ interfaces if present.

263
Views
0
Helpful
3
Replies
CreatePlease to create content