Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Nat exemption upsetting routing

Hi Cisco wizards,

I'm having an issue with my NAT exemption on some ASA 5515-Xs running 8.6.There is one rule for nat exemption that is taking internet-bound traffic and sending it back out the inside interface.

nat (inside,any) source static any any destination static Windows_Servers Windows_Servers no-proxy-arp

When this rule is present traffic from servers in the Windows_Servers group destined for the internet is sent back out the internal interface. If I remove this rule, it works, but it is required for VPN functionality.

The thing that puzzles me the most is that the source is Windows_Servers and the destination is any. This is the opposite to the rule. Also, when this rule is in place and causing trouble the counter does not increment when I do a show nat.

Possible solution:

(I only have version 8.4 in the lab, 8.6 is on the customer site. No access at the moment.)

If I take the (inside,any) rule and break it into three rules [(inside,outside),(inside,DMZ),(inside,inside)] and add the route-lookup keyword then internet access works. Does this provide the same functionality?

On 8.6 can I just add the route-lookup keyword to the (inside,any) rule?

I'd be fairly happy if the above solution solved the issue, but I'd feel a whole lot better if I could explain why it happens in the first place.

Everyone's tags (3)

Re:Nat exemption upsetting routing

It should work if you add the route-lookup keyword. Normally NAT is processed before routing and that could be causing your problem. The route-lookup keyword forces a routing lookup before processing the NAT.

If that does not fix the issue, please provide your config and the output of a packet-tracer.


Sent from Cisco Technical Support Android App

New Member

Nat exemption upsetting routing

Thanks Mike,

I'm reasonably confident that the route-lookup will work, but why is the NAT interfering in the first place? I'm initiating a session from Windows_Servers to any when the NAT rule specifies any to Windows_Servers.

Super Bronze

Re: Nat exemption upsetting routing


If the above NAT rule is your VPN NAT0 configuration then I would suggest sticking to actual networks and interface instead of "any"

Lets take for example that you have 2 local and 2 remote networks

object-group network LOCAL



object-group network REMOTE



nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE

You are saying that if you remove this rule then VPN doesnt work. So I would assume that the Windows Servers are behind a L2L VPN connection. You also mean that all of their Internet outbound traffic from the Windows Servers gets forwarded to the "inside" interface when this NAT rule is present?

If the above are a correct assumptions then when the traffic is coming from the "outside" from the Windows Servers networks it matches "any" destination address to the "inside" interface. Again one reason why I never used "any" in NAT configurations.

- Jouni

Re:Nat exemption upsetting routing

NAT rules on an ASA work bidirectionally by default.


Sent from Cisco Technical Support Android App

CreatePlease to create content