Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

v8.3 and above & NAT

I have looked in the books I have (Cisco ASA, PIX and FWSM; ASA 8.0) and googled a good bit but can't seem to find any specific mention of how to do NAT exemption with v8.4. It seems NAT exemption (NAT 0 access-list) was deprecated. Using ASDM, there's no corresponding menu item for this that is obvious.

We have public addresses inside the ASA and want to allow in/outbound connections using these IP's without NAT. The ASA is a 5550.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Red

v8.3 and above & NAT

For Static nat:

static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255

becomes:

object network obj_test

  host 192.168.1.5

nat (inside,outside) source static obj_test obj-test     ------------> Manual nat

or

object network obj_test

  host 192.168.1.5

  nat (inside,outside) static 192.168.1.5                         ------------> Auto nat (this is done inside the object only)

Nat exemption:

access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any

nat(inside) 0 access-list exempt1

becomes:

object network obj_test1

  subnet 192.168.1.0 255.255.255.0

object network obj_any

  subnet 0.0.0.0 0.0.0.0

nat (inside,any) source static obj_test1 obj_test1 destination static obj_any obj_any

I hope I was able to clear your doubts.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
7 REPLIES
Red

Re: v8.3 and above & NAT

Hi Bob,

You can refer to this doc, this might make it simple for you:

Hope that helps.

Varun

Let me know if you have any confusions.

Thanks, Varun Rao Security Team, Cisco TAC
Red

Re: v8.3 and above & NAT

Also, you would find good docs on the support forum as well, like these:

https://supportforums.cisco.com/docs/DOC-9129#comment-3934

Video:

https://supportforums.cisco.com/docs/DOC-12324

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: v8.3 and above & NAT

The pdf is a good document to have so thanks for putting it up, but there's nothing in it on NAT exemption. I have seen all these documents and none discuss NAT exemption (NAT 0 access-list).

Specifically, how do you move from either of these 2 methods used to avoid NAT:

static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255

(note: the IP's involved here are actually public IP's, not private)

OR

access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any

nat(inside) 0 access-list exempt1

to 8.3 or higher NAT notation?

Red

v8.3 and above & NAT

Then, this might be what you are looking for:

https://supportforums.cisco.com/docs/DOC-11639

Hope that helps,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Red

v8.3 and above & NAT

For Static nat:

static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255

becomes:

object network obj_test

  host 192.168.1.5

nat (inside,outside) source static obj_test obj-test     ------------> Manual nat

or

object network obj_test

  host 192.168.1.5

  nat (inside,outside) static 192.168.1.5                         ------------> Auto nat (this is done inside the object only)

Nat exemption:

access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any

nat(inside) 0 access-list exempt1

becomes:

object network obj_test1

  subnet 192.168.1.0 255.255.255.0

object network obj_any

  subnet 0.0.0.0 0.0.0.0

nat (inside,any) source static obj_test1 obj_test1 destination static obj_any obj_any

I hope I was able to clear your doubts.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: v8.3 and above & NAT

Many thanks. I have to add my vote to those who say this new syntax in 8.3+ is not great but so what, we have to adapt to it.

Red

v8.3 and above & NAT

Sure, thanks I work with the 8.3 nat day in and day out and I feel it is far better than the earlier ones, it seems more logical, although yes there might be some things like creating objects but overall its a thumbs up from me.

Cheers,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
701
Views
0
Helpful
7
Replies