access-list IDENT-STATIC extended permit ip object-group X object-group Y global (outside) 9 x.x.x.x nat (inside) 9 x.x.x.x 255.255.255.0 dns static (inside,outside) x.x.x.0 access-list IDENT-STATIC
I have the following configuration above which works fine but an issue has come up in which I need to see if it is possible or not to work around. Group X is an internal network of users on RFC1918 space and object-group Y is also an internal network that is on public ip's. So basically they are identity natted if they reach any host on the Y network and are PAT'ed if they go elsewhere. What I need to do if possible is allow all the computers in object-group x to reach one host in object-group Y without being NAT'ed. The host they need to reach is already a part of the network in object-group Y. Is there a way to exclude a host from being NAT'ed before this statement is processed?
As Jathaval has said, with the way you have configured, it is not possible to NAT when you are accessing one specific device in the y.y.y.0 subnet. However, you could modify your configuration and use NAT-0 instead of identity NAT and make it work. You do need to remember that when you remove identity and configure NAT-0, you will loose the ability to initiate connection from y.y.y.0 side to x.x.x.0 side.
access-list nonat deny ip x.x.x.0 255.255.255.0 host y.y.y.y
access-list nonat permit ip x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0
nat (inside) 0 access-list nonat
Other option is to change the IP of y.y.y.y host as it appears to the firewall. If you have another router between the firewall and y.y.y.0 subnet, then you could configure the router such that the host y.y.y.y appears as z.z.z.z for the ASA. That makes our life simple as you do not need to make any changes to the existing configuration. Only thing will be that your x.x.x.0 users will be accessing z.z.z.z address instead of y.y.y.y address.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :