https://community.cisco.com/t5/network-security/asa-7-2-override-nat0-for-single-ip/m-p/3828132#M11542 <P>I have inherited a very old and very ugly ASA firewall policy.&nbsp; I'm more of a Checkpoint firewall engineer but do have some basic Cisco knowledge and have been muddling through on the CLI as best I can until we can get this site to our corporate standards.&nbsp;<BR /><BR />That said, we have recently deployed a proxy server/content filter for internet browsing and due to the positioning of this, we have had to implement a rather large nat0 ACL so that browser traffic gets sent (via WCCP managed on the internet router, one step beyond the ASA outbound), it is not NAT'd.&nbsp; While this works fine in most cases, its obviously problematic in a few situations (such as any service other than http/https still needing a public NAT for traversing the internet.&nbsp; Currently this is handled via overload addresses on the Internet router).&nbsp;&nbsp;<BR /><BR />My critical/immediate issue right now is that I've got an entry in the nat0 ACL for a /24 internal network, but I need to essentially override that for a single IP within that /24 network range so that this one particular source IP gets a specific public NAT when traversing the internet.&nbsp;&nbsp;<BR /><BR />I guess what I'm looking for is some kind of ACL I can write for a specific host which would be 'more specific' and therefore take precedent over the nat0 ACL for the /24 network?&nbsp; Or does the nat0 ACL 'trump all other ACLs' ?&nbsp;&nbsp;<BR /><BR />Any help is appreciated.&nbsp; Note that upgrading this ASA code is kind of out of the question at this time.&nbsp;</P> Fri, 21 Feb 2020 16:59:31 GMT shuem@trinity-health.org 2020-02-21T16:59:31Z https://community.cisco.com/t5/network-security/asa-7-2-override-nat0-for-single-ip/m-p/3828132#M11542 <P>I have inherited a very old and very ugly ASA firewall policy.&nbsp; I'm more of a Checkpoint firewall engineer but do have some basic Cisco knowledge and have been muddling through on the CLI as best I can until we can get this site to our corporate standards.&nbsp;<BR /><BR />That said, we have recently deployed a proxy server/content filter for internet browsing and due to the positioning of this, we have had to implement a rather large nat0 ACL so that browser traffic gets sent (via WCCP managed on the internet router, one step beyond the ASA outbound), it is not NAT'd.&nbsp; While this works fine in most cases, its obviously problematic in a few situations (such as any service other than http/https still needing a public NAT for traversing the internet.&nbsp; Currently this is handled via overload addresses on the Internet router).&nbsp;&nbsp;<BR /><BR />My critical/immediate issue right now is that I've got an entry in the nat0 ACL for a /24 internal network, but I need to essentially override that for a single IP within that /24 network range so that this one particular source IP gets a specific public NAT when traversing the internet.&nbsp;&nbsp;<BR /><BR />I guess what I'm looking for is some kind of ACL I can write for a specific host which would be 'more specific' and therefore take precedent over the nat0 ACL for the /24 network?&nbsp; Or does the nat0 ACL 'trump all other ACLs' ?&nbsp;&nbsp;<BR /><BR />Any help is appreciated.&nbsp; Note that upgrading this ASA code is kind of out of the question at this time.&nbsp;</P> Fri, 21 Feb 2020 16:59:31 GMT https://community.cisco.com/t5/network-security/asa-7-2-override-nat0-for-single-ip/m-p/3828132#M11542 shuem@trinity-health.org 2020-02-21T16:59:31Z https://community.cisco.com/t5/network-security/asa-7-2-override-nat0-for-single-ip/m-p/3828411#M11544 <P>Just an update - I have found the answer for this particular need.&nbsp;<BR /><BR />A 'deny' statement for the host IP above the 'permit' statement for the network excludes that one host from nat exclusion and therefore invokes the static NAT for that host.&nbsp;&nbsp;<BR /><BR />None of this is ideal, obviously, but its what I've got to work with for now.&nbsp;&nbsp;</P> Thu, 28 Mar 2019 18:31:57 GMT https://community.cisco.com/t5/network-security/asa-7-2-override-nat0-for-single-ip/m-p/3828411#M11544 shuem@trinity-health.org 2019-03-28T18:31:57Z https://community.cisco.com/t5/network-security/asa-7-2-override-nat0-for-single-ip/m-p/3829087#M11546 <P>Hey Shuem,</P><P>&nbsp;</P><P>That is correct. The easiest way to bypass the NAT Exemption (NAT 0) for a single host when using network like that is to put a deny statement for the single host in the network that should still NAT.</P><P>&nbsp;</P><P>I would also recommend upgrading that code version when/if you get the chance.</P> Fri, 29 Mar 2019 19:26:00 GMT https://community.cisco.com/t5/network-security/asa-7-2-override-nat0-for-single-ip/m-p/3829087#M11546 John-Finnegan 2019-03-29T19:26:00Z