NAT Exemption with ACL

ccoutts · ‎01-23-2006

Hi, using an ACL with NAT exemption, I'd like to have the following:

Traffic from 10.10.10.0 /24 bypass NAT exemption and allowed to be NATd

Any other 10.10.0.0 /16 traffic, don't NAT it.

My thoughts are this can be done using the following commands:

nat (inside) 0 access-list nonat

access-list nonat deny ip 10.10.10.0 255.255.255.0 any

access-list nonat permit 10.10.0.0 255.255.0.0 any

With the deny statement effectively defining traffic which I want to be exempt from NAT examption?

Then have a NAT ACL statement for whatever I want to NAT the 10.10.10.0 /24 traffic to.

Thanks,

Charles

a-vazquez · ‎01-27-2006

When the security appliance sends encrypted VPN traffic back out this same interface, however, NAT is optional. The VPN-to-VPN works with or without NAT. To apply NAT to all outgoing traffic, implement only the commands above. To exempt the VPN-to-VPN traffic from NAT, add commands (to the example above) that implement NAT exemption for VPN-to-VPN traffic, such as:

hostname(config)# access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0

hostname(config)# nat (outside) 0 access-list nonat.