https://community.cisco.com/t5/network-security/asa-nat-exempt-rule/m-p/726983#M1001719 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>Yes as long as the server IP address 2.2.2.2 is routable across your wan and is not used anywhere else this should be no problem at all. </P><P></P><P>It's not clear from your diagram what the addressing scheme is but as long as the remote sites route 2.2.2.2 back to HQ you should be fine. </P><P></P><P>HTH</P><P></P><P>Jon</P></BODY></HTML> Fri, 20 Jul 2007 16:18:48 GMT Jon Marshall 2007-07-20T16:18:48Z https://community.cisco.com/t5/network-security/asa-nat-exempt-rule/m-p/726982#M1001718 <P>Hi,</P><P></P><P>Based on the attached diagram, i want to allow network monitoring server to monitor the remote branches routers, can i configure the ASA to allow traffic from monitoring server to branches routers without perform NAT ? if not, are there any way for us to achieve the objective ?</P><P></P><P>Thanks in advance.</P><P></P><P> </P><P></P> Tue, 26 Mar 2019 00:38:05 GMT https://community.cisco.com/t5/network-security/asa-nat-exempt-rule/m-p/726982#M1001718 benghock 2019-03-26T00:38:05Z https://community.cisco.com/t5/network-security/asa-nat-exempt-rule/m-p/726983#M1001719 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>Yes as long as the server IP address 2.2.2.2 is routable across your wan and is not used anywhere else this should be no problem at all. </P><P></P><P>It's not clear from your diagram what the addressing scheme is but as long as the remote sites route 2.2.2.2 back to HQ you should be fine. </P><P></P><P>HTH</P><P></P><P>Jon</P></BODY></HTML> Fri, 20 Jul 2007 16:18:48 GMT https://community.cisco.com/t5/network-security/asa-nat-exempt-rule/m-p/726983#M1001719 Jon Marshall 2007-07-20T16:18:48Z https://community.cisco.com/t5/network-security/asa-nat-exempt-rule/m-p/726984#M1001720 <HTML><HEAD></HEAD><BODY><P>I've tested the configuration with the below command, but it still not working. </P><P></P><P>nat (outside) 0 access-list outside_nat0_inbound</P><P>access-list outside_nat0_inbound extended permit ip host 2.2.2.2 host 1.1.1.1 </P><P>access-list outside_nat0_inbound extended permit ip host 2.2.2.2 host 1.1.1.1 </P><P></P><P>I've check the firewall log and below is the error log,</P><P></P><P>No translation group found for icmp src outside: 2.2.2.2 dst inside:1.1.1.1 (type 8, code 0)</P><P></P><P>Any ideas ?</P><P> </P></BODY></HTML> Sat, 21 Jul 2007 00:36:48 GMT https://community.cisco.com/t5/network-security/asa-nat-exempt-rule/m-p/726984#M1001720 benghock 2007-07-21T00:36:48Z https://community.cisco.com/t5/network-security/asa-nat-exempt-rule/m-p/726985#M1001721 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>I actually misread your diagram at first. The monitoring server is on the outside. You should not have to worry about a translation for 2.2.2.2. </P><P>If you did have to use a nat statement for every host on the outside of an ASA it woudl be very difficult to use it as an internet firewall <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Do you have translations set up for the inside servers eg. </P><P></P><P>static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255</P><P></P><P>Jon</P></BODY></HTML> Sat, 21 Jul 2007 03:48:26 GMT https://community.cisco.com/t5/network-security/asa-nat-exempt-rule/m-p/726985#M1001721 Jon Marshall 2007-07-21T03:48:26Z https://community.cisco.com/t5/network-security/asa-nat-exempt-rule/m-p/726986#M1001722 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P></P><P>All for the remote routers are located within "inside" network, the monitoring server is located at "outside" network. I'll test the suggested command, but the command only applicable to one single host/router, how about the rest of the remote routers ?</P><P></P><P>Thanks.</P><P>Beng Hock</P><P></P><P></P></BODY></HTML> Sat, 21 Jul 2007 04:03:30 GMT https://community.cisco.com/t5/network-security/asa-nat-exempt-rule/m-p/726986#M1001722 benghock 2007-07-21T04:03:30Z