Nat's and Nat Exempts on ASA 8.4, I'm only use to 8.2.

Andy White · ‎02-15-2012

Hello,

I've been use to managing our ASA's on firmware 8.2, however we have got a couple of ASA's on firmware 8.4 for a new project and the NAT area especially in the ASDM is very different now, I feel like I know nothing. On these new ASA's on 8.4 that will be in active/standy mode I will be creating a sub interfaces off these by attaching a 3750 and I wondered how the NAT exempts will work, as normally I will have to use exempts as I don't want the source IP to change when going from one interface to another in certain situations and this setup described works well on 8.2, but how can I do this on 8.4 as I don't even see the option for creating NAT exempts, looks like a different world?

Thanks

manish arora · ‎02-15-2012

Check these Documents out ..... NAT & ACL setup is same from 8.3 onwards ...

https://supportforums.cisco.com/docs/DOC-9129

https://supportforums.cisco.com/docs/DOC-21602

Manish

Marvin Rhoads · ‎02-15-2012

Actually it's very straightforward in ASDM (and like it should have been in the first place in cli).

Here is an example in both formats:

nat (outside,any) source static destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4

object-group network DM_INLINE_NETWORK_4

network-object object DMZ_network

network-object object phonenet

network-object object servernet

network-object object usernet

Andy White · ‎02-16-2012

Thanks for this the image helps alot, what does the rule look like if you edit it in the ASDM?

Also for example if I need a NAT exempt on someone on the inside interface that needs to get to DMZ4, what woudl the ASDM look like and woudl the CLI look like this?

nat (inside,DMZ4) after-auto source static Andy Andy destination static test test

object network Andy
host 192.168.44.11
object network test
host 172.26.5.100