Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need Help Nat 0 for ASA 5510 8.4(5)

Hello

Most of my experience was with Pix, then we got a few ASA 5505 pre- IOS 8.3 so we still used the NAT0 access list for site to site VPN.

I am having trouble understanding the Twice NAT / Identity NAT and cant see how to use it with an access-list NAT 0.

Basic setup, single source LAN 10.x.0.0, I want all traffic dynamic NAT using specified IP which I have already setup but neet to exempt the source IP from NAT when its bound for one of my other 10.x.0.0 sites and use NAT for internet traffic. Any help is much appreciated, this new change is somewhat confusing.              

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

Re: Need Help Nat 0 for ASA 5510 8.4(5)

Well, that is really up to you. If you are OK with all subnets within the 10.0.0.0/8 range not being NATed then go for it.  Though I have experienced that NAT can act a bit strange if you use the same network group for both source and destination in the NAT statement.  So if you experience the same then create another network object with the same 10.0.0.0/8 range and use that as the destination and things should be all good.

-- Please remember to rate and select a correct answer
5 REPLIES
VIP Green

Need Help Nat 0 for ASA 5510 8.4(5)

What you want is NAT Exempt. You would need to do something like the following:

object network LAN

subnet 10.x.0.0 255.255.0.0

object network OTHER_SITES

subnet 10.x.0.0 255.255.0.0

nat (inside,outside) source static LAN LAN destination static OTHER_SITES OTHER_SITES

-- Please remember to rate and select a correct answer
New Member

Re: Need Help Nat 0 for ASA 5510 8.4(5)

Thanks Marius,

Thats what I got out of the documentation I found.

I just could not believe you cant specify destination static as access list like in the old NAT0 days.

nat (inside,outside) source static LAN LAN destination static access-list Nat0

Would it be a security issue to open a whole subnet.

object network OTHER_SITES

subnet 10.0.0.0 255.0.0.0

VIP Green

Need Help Nat 0 for ASA 5510 8.4(5)

There are some big changes between 8.0 and 8.3 and higher, especially when it comes to NAT.  We are now required to  create object groups instead of ACLs.

-- Please remember to rate and select a correct answer
New Member

Re: Need Help Nat 0 for ASA 5510 8.4(5)

ok, so if I had to exempt nat for the following, would I do an ojbect group or

object network OTHER_SITES

subnet 10.0.0.0 255.0.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.5.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.6.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.12.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.13.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.15.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.16.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.17.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.18.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.19.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.100.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.21.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.22.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.24.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.25.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.28.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.27.0.0 255.255.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.26.0.0

access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.5.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.6.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.12.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.15.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.16.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.17.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.18.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.19.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.21.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.22.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.24.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.25.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.28.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.27.0.0 255.255.0.0

etc

VIP Green

Re: Need Help Nat 0 for ASA 5510 8.4(5)

Well, that is really up to you. If you are OK with all subnets within the 10.0.0.0/8 range not being NATed then go for it.  Though I have experienced that NAT can act a bit strange if you use the same network group for both source and destination in the NAT statement.  So if you experience the same then create another network object with the same 10.0.0.0/8 range and use that as the destination and things should be all good.

-- Please remember to rate and select a correct answer
581
Views
0
Helpful
5
Replies