Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Question about NAT Exemption

Hi,

I have following szenario:

I want to reach a outside host under its original address and its NAT address at it seems to the inside world.

(Host in the DMZ ist translated to the Inside Interface with a Static NAT rule).

It is possible to reach this host from Inside under the NAT and Original IP address?

Regards,

Dirk

5 REPLIES
Silver

Re: Question about NAT Exemption

Please clarify your scenario so that I can

understand your requirements.

In general, NAT on Pix/ASA is not as flexible

as say Juniper or Checkpoint firewall.

New Member

Re: Question about NAT Exemption

----Inside--ASA---DMZ---Host

The host is translated to the inside Network an can be reached by the translated address.

I would like that hosts in the Inside Network should reach the Host in the DMZ under their original and also translated address.

At the moment it is working only with the translated address. I have already configured an exemption rule but it is not working. In the syslog file I see that I have no matching translation rule.

Silver

Re: Question about NAT Exemption

Can't be done an ASA appliance.

Get a checkpoint firewall and it can do the

trick for you.

Re: Question about NAT Exemption

And do you know why?

There's one book that shows the NAT order of operation as being first check NAT exemption, then static NAT.

Let us know.

Re: Question about NAT Exemption

I did some research and yes its possible.

You need to define 2 static policy nat.

example:

real ip on DMZ 20.20.20.20

nat ip on inside 192.168.100.20

Make sure you configure the correct order:

static (DMZ,inside) 192.168.100.20 access-list acl_policy1

static (DMZ,inside) 20.20.20.20 access-list acl_policy2

access-list acl_policy1 extended permit ip host 20.20.20.20 any

access-list acl_policy2 extended permit ip host 20.20.20.20 any

Telnet from a client on the inside network to the DMZ server using both IPs natted and real.

client#192.168.100.20 80

Trying 192.168.100.20, 80 ... Open

get

HTTP/1.1 400 Bad Request

Date: Mon, 01 Mar 1993 03:41:13 GMT

Server: cisco-IOS

Accept-Ranges: none

400 Bad Request

[Connection to 192.168.100.20 closed by foreign host]

client#20.20.20.20 80

Trying 20.20.20.20, 80 ... Open

get

\HTTP/1.1 400 Bad Request

Date: Mon, 01 Mar 1993 03:41:21 GMT

Server: cisco-IOS

Accept-Ranges: none

400 Bad Request

[Connection to 20.20.20.20 closed by foreign host]

client#

438
Views
1
Helpful
5
Replies
CreatePlease to create content