Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT Exempt not working

folks

i have an asa 5540 & i'm trying to allow an outside IP through the asa & into another firewall's dmz on the inside interface

the external IP is 145.a.b.c/32 & the internal dmz address is 194.a.b.c

i have a nat exempt rule allowing 145.a.b.c/32 to talk to 194.a.b.c using inbound traffic but i get a no tranlsation group found

the firewall's external interface is directly connected to 145145.a.b.c and it has a route via its inside interface to 194.a.b.c

i can see the access rule incrementing and i can see a packet capture showing the source address trying to get to the destination address on the outside interface where the traffic arrives

there is nothing from the packet capture showing traffic leaving the external interface

anyone any ideas?

thanks to anyone taking the time to respond or post a reply

gratefully appreciated

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: NAT Exempt not working

nat exemption with an acl  is bidirectional by default - provided you apply that on the higher security interface.

You did what I had suggested which to apply nat 0 on the inside or dmz interface with an acl.

Earlier you had provided exemption for the host 145.a.b.c that lived on the outside. That is incorrect.

nat (Outside) 0 access-list Outside_nat0_outbound_1 outside

access-list Outside_nat0_outbound_1 extended permit ip host 145.a.b.c host 194.a.b.c

This firewall probably logged no translation group messages.

-KS

11 REPLIES
Cisco Employee

Re: NAT Exempt not working

What do the logs show when it breaks? Could you pls. post the output of

sh run nat

with the access-list if nat 0 is tied to an acl?

You can also do packet-tracker. You can use "?" and fill out the command very easily and see where it is getting dropped.

-KS

New Member

Re: NAT Exempt not working

Can you post your commands to configure the NAT exempt?

Cisco Employee

Re: NAT Exempt not working

Topology:

Internet---ASA5540--FW--dmz(194.a.b.c)

the external IP is 145.a.b.c/32 & the internal dmz address is 194.a.b.c

Is this topology correct? What FW is the one on the inside? another ASA?

On the 5540 you are translating the 194.a.b.c to 145.a.b.c and on the one on the inside you are just doing identity translation or nat exempton?

Which firewall is logging no translation group?

You should do nat exemption or identity static on the inside firewall.

example:

nat (dmz) 0 access-list dmz-server

access-list dmz-server permit ip host 194.a.b.c any

or

static (dmz,outside) 194.a.b.c 192.a.b.c

-KS

New Member

Re: NAT Exempt not working

What are you trying to accomplish? If you are just trying to allow use of a service like http then using a static nat like

static (dmz,outside) 194.a.b.c 192.a.b.c would be fine with an access list allowing the neccessary service.

access-list outside_access_in permit tcp any host 145.a.b.c 255.255.255.255 eq http

If you are trying to allow already trusted traffic access to a system then using the nat exemption would be neccessary.

New Member

Re: NAT Exempt not working

rbermel83

i'm trying to allow traffic from an external host, 145.a.b.c, to an internal host, 194.a.b.c but i need to allow the traffic from the external host through without any translation

the access rule is allowing traffic from the outside to the inside for tcp DNS

thanks

New Member

Re: NAT Exempt not working

kusankar

many thanks for your reply

your topology is correct but i want to allow 145.a.b.c. through the firewall, from the outside to the inside, without translation

i have no other nat rules from outside to inside

i have an access rule allowing traffic from the outside, 145.a.b.c, to the inside, 194.a.b.c, and i'm seeing hits on it but my syslog shows 'no translation group.......'

thanks for taking the time to look at this

i'm wondering if a nat exemption is the right action since i don't have any other nat in the relevant direction outside to inside - maybe i just use a static nat to nat the source to itself but i only want it to apply to traffic to the destination i've specified

New Member

Re: NAT Exempt not working

kusankar/rbermel83

folks

i've just got this working by inverting the exempt statement

i changed the direction of the config in the gui & it works grand

i'm still a bit confused as it undermines my belief that i understood how to configure nat on an asa!

thanks to both of you for contributing

Cisco Employee

Re: NAT Exempt not working

I need to clearly understand what nat exemption that you reversed and on which firewall so, I can explain why you needed to do that.

Clearly copy and paste the lines and indicate which firewall you added it to.

-KS

New Member

Re: NAT Exempt not working

kusankar

old config

nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Outside) 0 access-list Outside_nat0_outbound_1 outside

access-list Outside_nat0_outbound_1 extended permit ip host 145.a.b.c host 194.a.b.c

new config


nat (Inside) 0 access-list Inside_nat0_outbound_1
nat (Inside) 1 0.0.0.0 0.0.0.0

access-list Inside_nat0_outbound_1 line 1 extended permit ip host 194.a.b.c host 145.a.b.c

i only needed to re-configure my external ASA as the traffic wasn't even getting to the internal firewall

i'd be keen to hear your views and if you need i can draft up a quick topology diagram

Cisco Employee

Re: NAT Exempt not working

nat exemption with an acl  is bidirectional by default - provided you apply that on the higher security interface.

You did what I had suggested which to apply nat 0 on the inside or dmz interface with an acl.

Earlier you had provided exemption for the host 145.a.b.c that lived on the outside. That is incorrect.

nat (Outside) 0 access-list Outside_nat0_outbound_1 outside

access-list Outside_nat0_outbound_1 extended permit ip host 145.a.b.c host 194.a.b.c

This firewall probably logged no translation group messages.

-KS

New Member

Re: NAT Exempt not working

kusankar

many thanks my friend

665
Views
0
Helpful
11
Replies
CreatePlease login to create content