Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

Nat 0 alternate command in 8.4

Hello Dears,

I want to bypass vpn traffic from natting as my ASA  OS is 8.4 can anybody rotue me to the alternate command in 8.4 that will work as Nat 0

Thanks

3 ACCEPTED SOLUTIONS

Accepted Solutions
Red

Nat 0 alternate command in 8.4

Hi Estela,

Here's a very good doc for that purpose:

https://supportforums.cisco.com/docs/DOC-9129

Hope that helps.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Red

Nat 0 alternate command in 8.4

Hi Rizwan,

The nat statement is not the corrcet nat 0 oin ASA 8.4, 'll explain with an example:

Pre 8.3

access-list nonat extended permit ip host 1.1.1.1 host 2.2.2.2

nat (inside) 0 access-list nonat

Post 8.3:

object network network_1.1.1.1

  host 1.1.1.1

object network network_2.2.2.2

  host 2.2.2.2

nat (inside,outside) source static network_1.1.1.1 network_1.1.1.1 destination static network_2.2.2.2 network_2.2.2.2

This is teh right statement for nonat post 8.3

Hope that helps,

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC

Nat 0 alternate command in 8.4

"The nat statement is not the corrcet nat 0 oin ASA 8.4,"  Ummm.


FYI

Here is a piece of config I found from Cisco URL Doc, which I posted first, which is similar to your confirmation request.


8.3(2) through 8.4(1):

object network obj-10.1.2.0

   subnet 10.1.2.0 255.255.255.0

nat (inside,any) source static obj-10.1.2.0 obj-10.1.2.0 unidirectional
nat (dmz,outside) source static obj-10.1.2.0 obj-10.1.2.0 unidirectional #

8.4(2) and later:
object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0

nat (inside,any) source static obj-10.1.2.0 obj-10.1.2.0 no-proxy-arp route-lookup

nat (dmz,outside) source static obj-10.1.2.0 obj-10.1.2.0 no-proxy-arp route-lookup



But your subsequent request came with different scenario for no-nat includes a source and a destination.

I am glad it worked out for you thumbe !


Regards

11 REPLIES

Nat 0 alternate command in 8.4

sure.

Here it is:

Check the URL.  If you have a question, just let me know...

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60183

Thanks

Rizwan Rafeek

Red

Nat 0 alternate command in 8.4

Hi Estela,

Here's a very good doc for that purpose:

https://supportforums.cisco.com/docs/DOC-9129

Hope that helps.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Nat 0 alternate command in 8.4

Hello

Can you confirm the range what i have added is correct it will work.??????????

object network nat0

range 192.168.1.0  192.168.10.0

nat (inside,outside) source static nat0 nat0 no-proxy-arp route-lookup

Alternate to twice Nat  can I do the following please confirm

object network no-nat

subnet  192.168.1.0  255.255.255.0

nat ( inside,outside) static 192.168.1.0 no-proxy-arp route-lookup

The above commands will be configured for all the subnets for example 192.168.2.0,192.168.3.0,192.168.4.0 ...etc

Tx

Nat 0 alternate command in 8.4

Try this:

object network nat0

192.168.10.0 255.255.255.0

192.168.1.0 255.255.255.0

nat (inside,outside) source static nat0 nat0

You may use range but I never used it before.

Thanks

Rizwan Rafeek

Red

Nat 0 alternate command in 8.4

Hi Rizwan,

The nat statement is not the corrcet nat 0 oin ASA 8.4, 'll explain with an example:

Pre 8.3

access-list nonat extended permit ip host 1.1.1.1 host 2.2.2.2

nat (inside) 0 access-list nonat

Post 8.3:

object network network_1.1.1.1

  host 1.1.1.1

object network network_2.2.2.2

  host 2.2.2.2

nat (inside,outside) source static network_1.1.1.1 network_1.1.1.1 destination static network_2.2.2.2 network_2.2.2.2

This is teh right statement for nonat post 8.3

Hope that helps,

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC

Nat 0 alternate command in 8.4

"The nat statement is not the corrcet nat 0 oin ASA 8.4,"  Ummm.


FYI

Here is a piece of config I found from Cisco URL Doc, which I posted first, which is similar to your confirmation request.


8.3(2) through 8.4(1):

object network obj-10.1.2.0

   subnet 10.1.2.0 255.255.255.0

nat (inside,any) source static obj-10.1.2.0 obj-10.1.2.0 unidirectional
nat (dmz,outside) source static obj-10.1.2.0 obj-10.1.2.0 unidirectional #

8.4(2) and later:
object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0

nat (inside,any) source static obj-10.1.2.0 obj-10.1.2.0 no-proxy-arp route-lookup

nat (dmz,outside) source static obj-10.1.2.0 obj-10.1.2.0 no-proxy-arp route-lookup



But your subsequent request came with different scenario for no-nat includes a source and a destination.

I am glad it worked out for you thumbe !


Regards

Red

Nat 0 alternate command in 8.4

HI Rizwan,

Yes the one that you specified also does the nat exemption but in your case the destination is taken to be any, so there is an implicit "destination static any any" at the end of the statement, in case on lan to lan setup, you would mostly like to nat exempt the traffic going from the local site to remote site, so I suggested a more specific one for it, which specifies the destination as well.

Cheers,

Varun

Thanks, Varun Rao Security Team, Cisco TAC

Nat 0 alternate command in 8.4

@Varun Rao, "Yes the one that you specified also does the nat exemption but in your case the destination is taken to be any,"

There is no my case, it was only an example found from Cisco Doc.

The case what matters are these given network segments, as per users request.

nat ( inside,outside) static

192.168.1.0 255.255.255.0

192.168.2.0,

192.168.3.0,

192.168.4.0

@Varun Rao "in case on lan to lan setup, you would mostly like to nat exempt the traffic going from the local site to remote site, so I suggested a more specific one for it, which specifies the destination as well."

I do not know, where you got the impression that it is nothing but local site to remote site and I believe that I did specified interfaces within the brackets as above.

Sorry thumbee, you are confused.

New Member

Nat 0 alternate command in 8.4

Hello Rizwan,

Try this:

object network nat0

192.168.10.0 255.255.255.0

192.168.1.0 255.255.255.0

More than 1 subnet is not accepted in object network if you try to specify 2nd subnet 1st subnet will be replace by the 2nd subnet.

Nat 0 alternate command in 8.4

Yes, you must have individual nat for each network segment on version 8.4

New Member

Re: Nat 0 alternate command in 8.4

Thanks

Rizwan and Varun.

Can u tell me what does exactly no-proxy-arp and route lookup  are doing in this command

825
Views
0
Helpful
11
Replies
CreatePlease to create content