https://community.cisco.com/t5/network-security/nat-help/m-p/3025483#M134490 <P>Hi&nbsp;</P> <P>You can create 2 nat exemption for that.&nbsp;</P> <BLOCKQUOTE> <P>Object network obj-192.168.1.1</P> <P>&nbsp; Host 192.168.1.1</P> <P>!</P> <P>Object network obj-192.168.1.2</P> <P>&nbsp; Host 192.168.1.2</P> <P>!</P> <P>nat (Inside,DMZ) source static obj-10.10.1.1 obj-10.10.1.1 destination static obj-192.168.1.1 obj-192.168.1.1 no-proxy-arp route-lookup</P> <P>!</P> <P>nat (Inside,DMZ) source static obj-10.10.1.1 obj-10.10.1.1 destination static obj-192.168.1.2 obj-192.168.1.2 no-proxy-arp route-lookup</P> <P></P> </BLOCKQUOTE> <P>hope that helps.&nbsp;</P> <P>Thanks&nbsp;</P> <P>PS: Please don't forget to rate and mark as correct answer if this answered your question</P> Wed, 28 Jun 2017 05:04:02 GMT Francesco Molino 2017-06-28T05:04:02Z https://community.cisco.com/t5/network-security/nat-help/m-p/3025482#M134484 <P>Have an ASA5520 running 9.17 code. It currently has the following NAT statement in it:</P> <P>object network obj-10.10.1.1<BR />&nbsp;nat (inside,DMZ) static 172.252.252.252</P> <P></P> <P></P> <P>I have a need where I need this 10.10.1.1 host to be able to communicate with 2 specific hosts on the DMZ, but NOT get translated when doing so. The 2 hosts have IP's of 192.168.1.1 and 192.168.1.2. Not sure the config or type of NAT&nbsp;to do this nor am I sure the order of operations on which will take place first. I only want it not to translate going to the 2 hosts, the rest of the time I want it to keep getting translated to 172.252.252.252. Help appreciated. thank you</P> <P></P> Tue, 12 Mar 2019 09:38:00 GMT https://community.cisco.com/t5/network-security/nat-help/m-p/3025482#M134484 mjsully 2019-03-12T09:38:00Z https://community.cisco.com/t5/network-security/nat-help/m-p/3025483#M134490 <P>Hi&nbsp;</P> <P>You can create 2 nat exemption for that.&nbsp;</P> <BLOCKQUOTE> <P>Object network obj-192.168.1.1</P> <P>&nbsp; Host 192.168.1.1</P> <P>!</P> <P>Object network obj-192.168.1.2</P> <P>&nbsp; Host 192.168.1.2</P> <P>!</P> <P>nat (Inside,DMZ) source static obj-10.10.1.1 obj-10.10.1.1 destination static obj-192.168.1.1 obj-192.168.1.1 no-proxy-arp route-lookup</P> <P>!</P> <P>nat (Inside,DMZ) source static obj-10.10.1.1 obj-10.10.1.1 destination static obj-192.168.1.2 obj-192.168.1.2 no-proxy-arp route-lookup</P> <P></P> </BLOCKQUOTE> <P>hope that helps.&nbsp;</P> <P>Thanks&nbsp;</P> <P>PS: Please don't forget to rate and mark as correct answer if this answered your question</P> Wed, 28 Jun 2017 05:04:02 GMT https://community.cisco.com/t5/network-security/nat-help/m-p/3025483#M134490 Francesco Molino 2017-06-28T05:04:02Z https://community.cisco.com/t5/network-security/nat-help/m-p/3025484#M134498 <P>Thank you. That helps. One more follow up, I can do that same NAT and use a source subnet also, right? meaning if I decided I wanted everything on 10.10.1.0/24 subnet to NOT get translated when talking to 192.168.1.1 and 192.168.1.2, could I just change the statements to the following:</P> <P></P> <P>object network obj-10.1.1.0<BR />&nbsp;subnet 10.10.1.0 255.255.255.0</P> <P>nat (Inside,DMZ) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-192.168.1.1 obj-192.168.1.1 no-proxy-arp route-lookup</P> <P></P> <P>nat (Inside,DMZ) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-192.168.1.2 obj-192.168.1.2 no-proxy-arp route-lookup</P> <P></P> Wed, 28 Jun 2017 14:15:45 GMT https://community.cisco.com/t5/network-security/nat-help/m-p/3025484#M134498 mjsully 2017-06-28T14:15:45Z https://community.cisco.com/t5/network-security/nat-help/m-p/3025485#M134501 <P>Hi&nbsp;</P> <P></P> <P>Yes you can.</P> <P>Thanks&nbsp;</P> <P>PS: Please don't forget to rate and mark as correct answer if this answered your question</P> Wed, 28 Jun 2017 15:16:22 GMT https://community.cisco.com/t5/network-security/nat-help/m-p/3025485#M134501 Francesco Molino 2017-06-28T15:16:22Z https://community.cisco.com/t5/network-security/nat-help/m-p/3025486#M134509 <P>And this is what we call Identity NAT. Please further informations on this link: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_bypassing.html</P> Mon, 03 Jul 2017 12:41:59 GMT https://community.cisco.com/t5/network-security/nat-help/m-p/3025486#M134509 B. BELHADJ 2017-07-03T12:41:59Z