cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1404
Views
0
Helpful
11
Replies

Nat 0 alternate command in 8.4

estelamathew
Level 2
Level 2

Hello Dears,

I want to bypass vpn traffic from natting as my ASA  OS is 8.4 can anybody rotue me to the alternate command in 8.4 that will work as Nat 0

Thanks

3 Accepted Solutions

Accepted Solutions

Hi Estela,

Here's a very good doc for that purpose:

https://supportforums.cisco.com/docs/DOC-9129

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

Hi Rizwan,

The nat statement is not the corrcet nat 0 oin ASA 8.4, 'll explain with an example:

Pre 8.3

access-list nonat extended permit ip host 1.1.1.1 host 2.2.2.2

nat (inside) 0 access-list nonat

Post 8.3:

object network network_1.1.1.1

  host 1.1.1.1

object network network_2.2.2.2

  host 2.2.2.2

nat (inside,outside) source static network_1.1.1.1 network_1.1.1.1 destination static network_2.2.2.2 network_2.2.2.2

This is teh right statement for nonat post 8.3

Hope that helps,

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

"The nat statement is not the corrcet nat 0 oin ASA 8.4,"  Ummm.


FYI

Here is a piece of config I found from Cisco URL Doc, which I posted first, which is similar to your confirmation request.


8.3(2) through 8.4(1):

object network obj-10.1.2.0

   subnet 10.1.2.0 255.255.255.0

nat (inside,any) source static obj-10.1.2.0 obj-10.1.2.0 unidirectional
nat (dmz,outside) source static obj-10.1.2.0 obj-10.1.2.0 unidirectional #

8.4(2) and later:
object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0

nat (inside,any) source static obj-10.1.2.0 obj-10.1.2.0 no-proxy-arp route-lookup

nat (dmz,outside) source static obj-10.1.2.0 obj-10.1.2.0 no-proxy-arp route-lookup



But your subsequent request came with different scenario for no-nat includes a source and a destination.

I am glad it worked out for you thumbe !


Regards

View solution in original post

11 Replies 11

rizwanr74
Level 7
Level 7

sure.

Here it is:

Check the URL.  If you have a question, just let me know...

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60183

Thanks

Rizwan Rafeek

Hi Estela,

Here's a very good doc for that purpose:

https://supportforums.cisco.com/docs/DOC-9129

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

Hello

Can you confirm the range what i have added is correct it will work.??????????

object network nat0

range 192.168.1.0  192.168.10.0

nat (inside,outside) source static nat0 nat0 no-proxy-arp route-lookup

Alternate to twice Nat  can I do the following please confirm

object network no-nat

subnet  192.168.1.0  255.255.255.0

nat ( inside,outside) static 192.168.1.0 no-proxy-arp route-lookup

The above commands will be configured for all the subnets for example 192.168.2.0,192.168.3.0,192.168.4.0 ...etc

Tx

Try this:

object network nat0

192.168.10.0 255.255.255.0

192.168.1.0 255.255.255.0

nat (inside,outside) source static nat0 nat0

You may use range but I never used it before.

Thanks

Rizwan Rafeek

Hi Rizwan,

The nat statement is not the corrcet nat 0 oin ASA 8.4, 'll explain with an example:

Pre 8.3

access-list nonat extended permit ip host 1.1.1.1 host 2.2.2.2

nat (inside) 0 access-list nonat

Post 8.3:

object network network_1.1.1.1

  host 1.1.1.1

object network network_2.2.2.2

  host 2.2.2.2

nat (inside,outside) source static network_1.1.1.1 network_1.1.1.1 destination static network_2.2.2.2 network_2.2.2.2

This is teh right statement for nonat post 8.3

Hope that helps,

Thanks,

Varun

Thanks,
Varun Rao

"The nat statement is not the corrcet nat 0 oin ASA 8.4,"  Ummm.


FYI

Here is a piece of config I found from Cisco URL Doc, which I posted first, which is similar to your confirmation request.


8.3(2) through 8.4(1):

object network obj-10.1.2.0

   subnet 10.1.2.0 255.255.255.0

nat (inside,any) source static obj-10.1.2.0 obj-10.1.2.0 unidirectional
nat (dmz,outside) source static obj-10.1.2.0 obj-10.1.2.0 unidirectional #

8.4(2) and later:
object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0

nat (inside,any) source static obj-10.1.2.0 obj-10.1.2.0 no-proxy-arp route-lookup

nat (dmz,outside) source static obj-10.1.2.0 obj-10.1.2.0 no-proxy-arp route-lookup



But your subsequent request came with different scenario for no-nat includes a source and a destination.

I am glad it worked out for you thumbe !


Regards

HI Rizwan,

Yes the one that you specified also does the nat exemption but in your case the destination is taken to be any, so there is an implicit "destination static any any" at the end of the statement, in case on lan to lan setup, you would mostly like to nat exempt the traffic going from the local site to remote site, so I suggested a more specific one for it, which specifies the destination as well.

Cheers,

Varun

Thanks,
Varun Rao

@Varun Rao, "Yes the one that you specified also does the nat exemption but in your case the destination is taken to be any,"

There is no my case, it was only an example found from Cisco Doc.

The case what matters are these given network segments, as per users request.

nat ( inside,outside) static

192.168.1.0 255.255.255.0

192.168.2.0,

192.168.3.0,

192.168.4.0

@Varun Rao "in case on lan to lan setup, you would mostly like to nat exempt the traffic going from the local site to remote site, so I suggested a more specific one for it, which specifies the destination as well."

I do not know, where you got the impression that it is nothing but local site to remote site and I believe that I did specified interfaces within the brackets as above.

Sorry thumbee, you are confused.

Hello Rizwan,

Try this:

object network nat0

192.168.10.0 255.255.255.0

192.168.1.0 255.255.255.0

More than 1 subnet is not accepted in object network if you try to specify 2nd subnet 1st subnet will be replace by the 2nd subnet.

Yes, you must have individual nat for each network segment on version 8.4

Thanks

Rizwan and Varun.

Can u tell me what does exactly no-proxy-arp and route lookup  are doing in this command

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: