Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT Exemption

Hi,

has anybody tried to implement a NAT exemption and static NAT for the same source. What i want to achieve is that one host of the internal network will be not natted like the complete network and also has a static NAT for another connection.

I have problems to implement this and have read that PNAT is not possible in combination with NAT exemption.

regards

Christoph

4 REPLIES
Cisco Employee

Re: NAT Exemption

hi,

let's say u have host A on the inside.

You want that when host A goes to 1.1.1.1/24,then it should not be translated ( nat exempt ) and for the rest of the traffic it should get translated. ( static nat ).

is that true ?

if it is,

access-l nonat permit ip host A 1.1.1.1 255.255.255.0

nat (inside) 0 access-list nonat

static (inside,outside)

the nat 0 with an access-list ( exempt ) takes precedence over the static and that's why,the no nat is processed before the static.

i guess that's it.

if i am on the wrong side of the lane,let me know.

Regards,

Sushil.

Green

Re: NAT Exemption

Correct, here's the rest of the order

1. nat exemption

2. static nat

3. static pat

4. policy nat

5. regular nat

Cisco Employee

Re: NAT Exemption

Once a packet is exempted from natting for a specific destination, you can not do static natting for the same host/netowrk for the same destination.

Give us a brief overview of the scenario, and we'll try to help.

-Kanishka

New Member

Re: NAT Exemption

Jesus ... so much answers, thanks for all your help. Its a complex environment, but i will try to explain. The environment is based on a FWSM with several interfaces. Basically all traffic is in a exemption NAT table based on network groups. A remote site will be connected to this environment with IPSEC. The IPSEC part will be handeld by a concentrator. The remote network is 172.22.0.0/16, has to be natted inbound to 10.61.0.0/16. Traffic from internal to this remote network has to natted dynamic (pool). Specific hosts in the internal network has to have a static NAT when accessed from outside.

The problem is the remote site is not willing to do NAT, that would be the easy way...

When i understand your comments correct then is the "jumping point" that NAT exemption is the first in order ... so the only solution would be to build a second firewall for this traffic ,-)

regards

Christoph

229
Views
0
Helpful
4
Replies
CreatePlease to create content