Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT Exemption


has anybody tried to implement a NAT exemption and static NAT for the same source. What i want to achieve is that one host of the internal network will be not natted like the complete network and also has a static NAT for another connection.

I have problems to implement this and have read that PNAT is not possible in combination with NAT exemption.



Cisco Employee

Re: NAT Exemption


let's say u have host A on the inside.

You want that when host A goes to,then it should not be translated ( nat exempt ) and for the rest of the traffic it should get translated. ( static nat ).

is that true ?

if it is,

access-l nonat permit ip host A

nat (inside) 0 access-list nonat

static (inside,outside)

the nat 0 with an access-list ( exempt ) takes precedence over the static and that's why,the no nat is processed before the static.

i guess that's it.

if i am on the wrong side of the lane,let me know.




Re: NAT Exemption

Correct, here's the rest of the order

1. nat exemption

2. static nat

3. static pat

4. policy nat

5. regular nat

Cisco Employee

Re: NAT Exemption

Once a packet is exempted from natting for a specific destination, you can not do static natting for the same host/netowrk for the same destination.

Give us a brief overview of the scenario, and we'll try to help.


New Member

Re: NAT Exemption

Jesus ... so much answers, thanks for all your help. Its a complex environment, but i will try to explain. The environment is based on a FWSM with several interfaces. Basically all traffic is in a exemption NAT table based on network groups. A remote site will be connected to this environment with IPSEC. The IPSEC part will be handeld by a concentrator. The remote network is, has to be natted inbound to Traffic from internal to this remote network has to natted dynamic (pool). Specific hosts in the internal network has to have a static NAT when accessed from outside.

The problem is the remote site is not willing to do NAT, that would be the easy way...

When i understand your comments correct then is the "jumping point" that NAT exemption is the first in order ... so the only solution would be to build a second firewall for this traffic ,-)



CreatePlease to create content