Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT exemption and Policy NAT

Hi All,

I have the following NAT exemption configured on my firewall

access-list in_nat0_out extended permit ip 10.0.0.0 255.0.0.0 x.x.224.0 255.255.248.0

nat (inside) 0 access-list in_nat0_out

The statements above basically does the NAT exemption for us. Any 10.0.0.0/8 traffic from inside destined to the x.x.224.0/21 (this is our DMZ subnet), we do not perform NAT.

But now, we have a single device in the DMZ (IP is x.x.224.29) that we want to do NAT. Any 10-net traffic destined for x.x.224.29/32, I want to allocate a dynamic NAT pool.

The way I understand is, once I have nat 0 (or NAT exemption) configured, I cannot do a NAT on an overlapping network or address.

Is that correct? Or is it possible to do a NAT just for 1 address and nat 0 for all other addresses?

thanks,

Meena

6 REPLIES

Re: NAT exemption and Policy NAT

Have you tried the following?

access-list in_nat1_out extended permit ip 10.0.0.0 255.0.0.0 host x.x.224.29

nat (inside) 1 access-list in_nat1_out

global (dmz) 1 x.x.x.x-x.x.x.x netmask 255.x.x.x

Hope this helps.

New Member

Re: NAT exemption and Policy NAT

No, I have not tried it yet.

I thought this will not work because my nat 0 command already has that address in it. x.x.224.29/32 is part of x.x.224.0/21 and it would take the first match which is my NAT exemption.

Does it look for a closer match or the first match?

Meena

Re: NAT exemption and Policy NAT

Hall of Fame Super Blue

Re: NAT exemption and Policy NAT

Meena

You are correct, nat exemption takes precedence over everything else -

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042696

You will have to exempt the traffic going to x.x.224.29 from your access-list in_nat0_out.

Jon

New Member

Re: NAT exemption and Policy NAT

Thank you Jon!

I was able to verify that NAT exemption takes precedence. The only way I can do policy NAT is if I exclude that address from the NAT exemption.

Thank you again!

Hall of Fame Super Blue

Re: NAT exemption and Policy NAT

Meena

No problem, glad to have been of help :-)

Jon

215
Views
0
Helpful
6
Replies
CreatePlease to create content