Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NAT Exemption

Hi All,

I jsut need some help in making sure that the following statements are correct. Here is the scenario.

Our inside private addresss 10.x.x.x always gets NATed to a public IP on the outside. Now I have a situatuion where we do not want to NAT the private IP if the destination address is x.x.226.31 on the outside.

I have come up with the following.

access-list no_nat_ipvc_out permit ip 10.0.0.0 255.0.0.0 host x.x.226.31

nat (inside) 0 access-list no_nat_ipvc_out

Will this work?

8 REPLIES
Green

Re: NAT Exemption

Yes.

Silver

Re: NAT Exemption

Yeah that should do it.

-Hoogen

Community Member

Re: NAT Exemption

Thank you for both replies.

I have another situation but do not know how to do the translations for.

I have remote access VPN users getting public ip addresses in the range x.x.26.0/23 on the outside. They need to access their desktops on the inside using RDP and the desktops are on the private 10.x.x.x range.

Is it possible to allow remote access users on the outside to access the desktops on the inside?

I have been looking into policy NAT but need some help.

Any suggestions?

Green

Re: NAT Exemption

I think this is what you're asking. Just add the traffic to you existing nat exemption acl.

access-list no_nat_ipvc_out permit ip 10.0.0.0 255.0.0.0 host x.x.226.31

access-list no_nat_ipvc_out permit ip 10.0.0.0 255.0.0.0 x.x.226.0 255.255.254.0

nat (inside) 0 access-list no_nat_ipvc_out

Community Member

Re: NAT Exemption

I think this will only allow 10.x.x.x access the 26.0/23 with no NAT.

But I would like to no NAT the 10.x.x.x on the inside if the traffic is coming from the outside source x.x.26.0/23. I do not have any interface in the 10.x.x.x range on the firewall.

We are doing the NATing on the FWSM but the perimeter firewall has the DMZ which has our VPN device. When remote users connect they get an IP on the DMZ of the perimeter firewall and the users need access to inside which is 10.x.x.x. But all our 10.x.x.x gets NATed to a public IP by the FWSM.

Green

Re: NAT Exemption

Nat exemption acl's are bi-directional.

Community Member

Re: NAT Exemption

This is a learning for me. I just want to make sure that it will work if the traffic originates from outside.

Community Member

Re: NAT Exemption

How are doing Meena im dillonoct@aol.com

366
Views
0
Helpful
8
Replies
CreatePlease to create content