01-04-2012 06:24 AM - edited 03-11-2019 03:09 PM
Hello Dears,
I want to bypass vpn traffic from natting as my ASA OS is 8.4 can anybody rotue me to the alternate command in 8.4 that will work as Nat 0
Thanks
Solved! Go to Solution.
01-04-2012 06:42 AM
Hi Estela,
Here's a very good doc for that purpose:
https://supportforums.cisco.com/docs/DOC-9129
Hope that helps.
Thanks,
Varun
01-04-2012 08:30 AM
Hi Rizwan,
The nat statement is not the corrcet nat 0 oin ASA 8.4, 'll explain with an example:
Pre 8.3
access-list nonat extended permit ip host 1.1.1.1 host 2.2.2.2
nat (inside) 0 access-list nonat
Post 8.3:
object network network_1.1.1.1
host 1.1.1.1
object network network_2.2.2.2
host 2.2.2.2
nat (inside,outside) source static network_1.1.1.1 network_1.1.1.1 destination static network_2.2.2.2 network_2.2.2.2
This is teh right statement for nonat post 8.3
Hope that helps,
Thanks,
Varun
01-04-2012 09:18 AM
"The nat statement is not the corrcet nat 0 oin ASA 8.4," Ummm.
FYI
Here is a piece of config I found from Cisco URL Doc, which I posted first, which is similar to your confirmation request.
8.3(2) through 8.4(1):
object network obj-10.1.2.0
subnet 10.1.2.0 255.255.255.0
nat (inside,any) source static obj-10.1.2.0 obj-10.1.2.0 unidirectional
nat (dmz,outside) source static obj-10.1.2.0 obj-10.1.2.0 unidirectional #
8.4(2) and later:
object network obj-10.1.2.0
subnet 10.1.2.0 255.255.255.0
nat (inside,any) source static obj-10.1.2.0 obj-10.1.2.0 no-proxy-arp route-lookup
nat (dmz,outside) source static obj-10.1.2.0 obj-10.1.2.0 no-proxy-arp route-lookup
But your subsequent request came with different scenario for no-nat includes a source and a destination.
I am glad it worked out for you thumbe !
Regards
01-04-2012 06:37 AM
sure.
Here it is:
Check the URL. If you have a question, just let me know...
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60183
Thanks
Rizwan Rafeek
01-04-2012 06:42 AM
Hi Estela,
Here's a very good doc for that purpose:
https://supportforums.cisco.com/docs/DOC-9129
Hope that helps.
Thanks,
Varun
01-04-2012 07:06 AM
Hello
Can you confirm the range what i have added is correct it will work.??????????
object network nat0
range 192.168.1.0 192.168.10.0
nat (inside,outside) source static nat0 nat0 no-proxy-arp route-lookup
Alternate to twice Nat can I do the following please confirm
object network no-nat
subnet 192.168.1.0 255.255.255.0
nat ( inside,outside) static 192.168.1.0 no-proxy-arp route-lookup
The above commands will be configured for all the subnets for example 192.168.2.0,192.168.3.0,192.168.4.0 ...etc
Tx
01-04-2012 08:06 AM
Try this:
object network nat0
192.168.10.0 255.255.255.0
192.168.1.0 255.255.255.0
nat (inside,outside) source static nat0 nat0
You may use range but I never used it before.
Thanks
Rizwan Rafeek
01-04-2012 08:30 AM
Hi Rizwan,
The nat statement is not the corrcet nat 0 oin ASA 8.4, 'll explain with an example:
Pre 8.3
access-list nonat extended permit ip host 1.1.1.1 host 2.2.2.2
nat (inside) 0 access-list nonat
Post 8.3:
object network network_1.1.1.1
host 1.1.1.1
object network network_2.2.2.2
host 2.2.2.2
nat (inside,outside) source static network_1.1.1.1 network_1.1.1.1 destination static network_2.2.2.2 network_2.2.2.2
This is teh right statement for nonat post 8.3
Hope that helps,
Thanks,
Varun
01-04-2012 09:18 AM
"The nat statement is not the corrcet nat 0 oin ASA 8.4," Ummm.
FYI
Here is a piece of config I found from Cisco URL Doc, which I posted first, which is similar to your confirmation request.
8.3(2) through 8.4(1):
object network obj-10.1.2.0
subnet 10.1.2.0 255.255.255.0
nat (inside,any) source static obj-10.1.2.0 obj-10.1.2.0 unidirectional
nat (dmz,outside) source static obj-10.1.2.0 obj-10.1.2.0 unidirectional #
8.4(2) and later:
object network obj-10.1.2.0
subnet 10.1.2.0 255.255.255.0
nat (inside,any) source static obj-10.1.2.0 obj-10.1.2.0 no-proxy-arp route-lookup
nat (dmz,outside) source static obj-10.1.2.0 obj-10.1.2.0 no-proxy-arp route-lookup
But your subsequent request came with different scenario for no-nat includes a source and a destination.
I am glad it worked out for you thumbe !
Regards
01-04-2012 09:36 AM
HI Rizwan,
Yes the one that you specified also does the nat exemption but in your case the destination is taken to be any, so there is an implicit "destination static any any" at the end of the statement, in case on lan to lan setup, you would mostly like to nat exempt the traffic going from the local site to remote site, so I suggested a more specific one for it, which specifies the destination as well.
Cheers,
Varun
01-04-2012 10:11 AM
@Varun Rao, "Yes the one that you specified also does the nat exemption but in your case the destination is taken to be any,"
There is no my case, it was only an example found from Cisco Doc.
The case what matters are these given network segments, as per users request.
nat ( inside,outside) static
192.168.1.0 255.255.255.0
192.168.2.0,
192.168.3.0,
192.168.4.0
@Varun Rao "in case on lan to lan setup, you would mostly like to nat exempt the traffic going from the local site to remote site, so I suggested a more specific one for it, which specifies the destination as well."
I do not know, where you got the impression that it is nothing but local site to remote site and I believe that I did specified interfaces within the brackets as above.
Sorry thumbee, you are confused.
01-04-2012 11:14 AM
Hello Rizwan,
Try this:
object network nat0
192.168.10.0 255.255.255.0
192.168.1.0 255.255.255.0
More than 1 subnet is not accepted in object network if you try to specify 2nd subnet 1st subnet will be replace by the 2nd subnet.
01-04-2012 11:38 AM
Yes, you must have individual nat for each network segment on version 8.4
01-04-2012 12:42 PM
Thanks
Rizwan and Varun.
Can u tell me what does exactly no-proxy-arp and route lookup are doing in this command
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: