Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

identity static NAT and PAT

access-list IDENT-STATIC extended permit ip object-group X object-group Y
global (outside) 9 x.x.x.x
nat (inside) 9 x.x.x.x 255.255.255.0 dns
static (inside,outside) x.x.x.0  access-list IDENT-STATIC

I have the following configuration above which works fine but an issue has come up in which I need to see if it is possible or not to work around.  Group X is an internal network of users on RFC1918 space and object-group Y is also an internal network that is on public ip's.  So basically they are identity natted if they reach any host on the Y network and are PAT'ed if they go elsewhere.  What I need to do if possible is allow all the computers in object-group x to reach one host in object-group Y without being NAT'ed.  The host they need to reach is already a part of the network in object-group Y.  Is there a way to exclude a host from being NAT'ed before this statement is processed?

Thanks

6 REPLIES
Cisco Employee

Re: identity static NAT and PAT

Hello,

You can try NAT-0 configuration.

Access-list nonat permit ip x.x.x.0 255.255.255.0 host y.y.y.a

Nat (inside) 0 access-list nonat

Hope this helps.

Regards,

NT

New Member

Re: identity static NAT and PAT

Sorry I should have said I want the hosts in network X to be NAT'ed when they are trying to reach that one host in object-group Y

Cisco Employee

Re: identity static NAT and PAT

let y.y.y.y be the host to which when users in x access after natting

we can use variable subnetting

if you are ok to change this ip to something else

i mean all those hosts in y network which need to accessed by x without natting in one subnet say y.y.y.0 255.255.255.128 as this is the max you can go to divide them equally into 2 parts

and the host which needs the x to be natted in y.y.y.128 255.255.255.128 subnet

and then you can modify access-list and nat stements accordingly

Cisco Employee

Re: identity static NAT and PAT

j

Cisco Employee

Re: identity static NAT and PAT

forgot to mention one more thing

can you use nat exempt instead of identity nat

and in the nat exempt you can deny the traffic which needs to be natted

Cisco Employee

Re: identity static NAT and PAT

Hello,

As Jathaval has said, with the way you have configured, it is not possible to NAT when you are accessing one specific device in the y.y.y.0 subnet. However, you could modify your configuration and use NAT-0 instead of identity NAT and make it work. You do need to remember that when you remove identity and configure NAT-0, you will loose the ability to initiate connection from y.y.y.0 side to x.x.x.0 side.

access-list nonat deny ip x.x.x.0 255.255.255.0 host y.y.y.y

access-list nonat permit ip x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0

nat (inside) 0 access-list nonat

Other option is to change the IP of y.y.y.y host as it appears to the firewall. If you have another router between the firewall and y.y.y.0 subnet, then you could configure the router such that the host y.y.y.y appears as z.z.z.z for the ASA. That makes our life simple as you do not need to make any changes to the existing configuration. Only thing will be that your x.x.x.0 users will be accessing z.z.z.z address instead of y.y.y.y address.

Hope this helps.

Regards,

NT

207
Views
0
Helpful
6
Replies
CreatePlease to create content