https://community.cisco.com/t5/network-security/nat-execlude-problem/m-p/2592624#M202003 <P>Thaks <SPAN class="fullname"><SPAN rel="sioc:has_creator"><A class="username" href="https://supportforums.cisco.com/users/favoritevanilla" title="View user profile.">Poonam</A></SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="fullname"><SPAN rel="sioc:has_creator">I will try to </SPAN></SPAN>ordering NAT statement and check again</P><P>&nbsp;</P><P>Regards</P> Thu, 18 Dec 2014 11:27:38 GMT abdelmalik abbas 2014-12-18T11:27:38Z https://community.cisco.com/t5/network-security/nat-execlude-problem/m-p/2592620#M201999 <P>Hi</P><P>&nbsp;</P><P>I have issue with NATing , I have ASA 5025 x and i make static NAT for some servers and some users to access internet , also i have another branches i need to access it by my private IP , the nating to internet working fine but i try to make nat exemption to exclude the private IP from the NAT . kindly see following configuration&nbsp; :</P><P>&nbsp;</P><P>object-group network obj-10.10.0.5<BR />&nbsp;network-object host 10.10.0.5</P><P>&nbsp;</P><P>object-group network public-internet<BR />&nbsp;network-object host&nbsp; 1.1.1.1</P><P>nat (inside,outside) source static obj-10.10.0.5&nbsp; public-internet</P><P>&nbsp;</P><P>I use this line to exclude 10.0.0.0 when it try to access 10.11.0.0</P><P>&nbsp;</P><P>nat (inside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.11.0.0 obj-10.11.0.0</P><P>&nbsp;</P><P>thanks</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 05:14:05 GMT https://community.cisco.com/t5/network-security/nat-execlude-problem/m-p/2592620#M201999 abdelmalik abbas 2019-03-12T05:14:05Z https://community.cisco.com/t5/network-security/nat-execlude-problem/m-p/2592621#M202000 <P>Probably the ordering of NAT statement is causing issue.</P><P>Instead of creating manual NAT for source NAT and NAT exempt.</P><P>Try creating object NAT for outgoing traffic and manual NAT for exemption of NAT .</P><P>The manual NAT is evaluated before object NAT.</P><P>And also ensure that the IP addresses in NAT exempt do not overlap the outgoing NAT traffic.</P><P>object nat config:</P><P>e.g. for object NAT.</P><P>object network test2<BR />&nbsp;host 10.1.1.1</P><P>object network test1<BR />&nbsp;host 1.1.1.1<BR />nat (inside,outside) static test2</P><P>&nbsp;</P><P>NAT exempt:</P><P>nat (inside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.11.0.0 obj-10.11.0.0</P><P>Thanks,</P> Tue, 16 Dec 2014 09:14:53 GMT https://community.cisco.com/t5/network-security/nat-execlude-problem/m-p/2592621#M202000 Rishabh Seth 2014-12-16T09:14:53Z https://community.cisco.com/t5/network-security/nat-execlude-problem/m-p/2592622#M202001 <P>Hi Abbas,</P><P>Run the command "Show NAT", to check the order of NAT policy, the order in which rules are checked on your ASA.</P><P>For NAT exemption to work, your NAT exempt&nbsp; rule most be shown before your regular NAT rule.</P><P>If it is not, they reorder the NAT statement in the running configuration.</P><P>HTH</P><P>"Please rate useful posts."</P> Thu, 18 Dec 2014 09:48:35 GMT https://community.cisco.com/t5/network-security/nat-execlude-problem/m-p/2592622#M202001 Poonam Garg 2014-12-18T09:48:35Z https://community.cisco.com/t5/network-security/nat-execlude-problem/m-p/2592623#M202002 <P>Thank <SPAN class="fullname"><SPAN rel="sioc:has_creator"><A class="username" href="https://supportforums.cisco.com/users/risseth" title="View user profile.">risseth</A></SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="fullname"><SPAN rel="sioc:has_creator">I will try to reorder the nating</SPAN></SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 18 Dec 2014 11:17:36 GMT https://community.cisco.com/t5/network-security/nat-execlude-problem/m-p/2592623#M202002 abdelmalik abbas 2014-12-18T11:17:36Z https://community.cisco.com/t5/network-security/nat-execlude-problem/m-p/2592624#M202003 <P>Thaks <SPAN class="fullname"><SPAN rel="sioc:has_creator"><A class="username" href="https://supportforums.cisco.com/users/favoritevanilla" title="View user profile.">Poonam</A></SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="fullname"><SPAN rel="sioc:has_creator">I will try to </SPAN></SPAN>ordering NAT statement and check again</P><P>&nbsp;</P><P>Regards</P> Thu, 18 Dec 2014 11:27:38 GMT https://community.cisco.com/t5/network-security/nat-execlude-problem/m-p/2592624#M202003 abdelmalik abbas 2014-12-18T11:27:38Z