Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Gold

NAT question...

Hi Experts,

Quick question, if i want to do NAT exception for ALL ip traffic on an interface in version 8.4(2). what should i do?

just want to double check it... would it work or should i use another method: nat (interface,any) source static any any          

Thanks,


Soroush.       

Hope it Helps!

Soroush.
Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: NAT question...

Hi,

I guess you already asked something like this on the previous thread.

If you situation is still so that NO HOSTS need to be NATed through the firewall then you can simply LEAVE OUT ALL NAT configurations.

Generally when people need to exempt hosts from NAT they usually only have certain destination networks for which this should apply. (VPN connections). So you usually define destination parameters for the NAT configuration also.

Then you might naturally have public subnets behind the firewall that dont need NAT. As long as no other NAT rule matches these public subnets as a source then you can simply leave out all NAT configuration.

From what I tested I wouldnt probably suggest the above NAT configuration even though I mentioned it in the other thread. It might possibly even cause problems.

I would suggest the other format which basically is that you define the source networks behind that interface under an "object-group network" and then configure the NAT rule

object-group network NETWORKS

network-object

network-object

nat (interface,any) source static NETWORKS NETWORKS

Pretty hard to say more than that when dont have exact picture of the situation.

- Jouni

1 REPLY
Super Bronze

Re: NAT question...

Hi,

I guess you already asked something like this on the previous thread.

If you situation is still so that NO HOSTS need to be NATed through the firewall then you can simply LEAVE OUT ALL NAT configurations.

Generally when people need to exempt hosts from NAT they usually only have certain destination networks for which this should apply. (VPN connections). So you usually define destination parameters for the NAT configuration also.

Then you might naturally have public subnets behind the firewall that dont need NAT. As long as no other NAT rule matches these public subnets as a source then you can simply leave out all NAT configuration.

From what I tested I wouldnt probably suggest the above NAT configuration even though I mentioned it in the other thread. It might possibly even cause problems.

I would suggest the other format which basically is that you define the source networks behind that interface under an "object-group network" and then configure the NAT rule

object-group network NETWORKS

network-object

network-object

nat (interface,any) source static NETWORKS NETWORKS

Pretty hard to say more than that when dont have exact picture of the situation.

- Jouni

184
Views
0
Helpful
1
Replies
CreatePlease to create content