https://community.cisco.com/t5/network-security/static-nat-on-8-4-question/m-p/2344514#M310306 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>For further information:</P><H3>Configuring Identity NAT</H3><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/nat_objects.html#wp1108647">http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/nat_objects.html#wp1108647</A></P><P></P><P><SPAN __jive_emoticon_name="wink" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P></BODY></HTML> Thu, 24 Oct 2013 20:12:11 GMT andduart 2013-10-24T20:12:11Z https://community.cisco.com/t5/network-security/static-nat-on-8-4-question/m-p/2344512#M310304 <P>I am running a ASA5545X pair with 8.4 IOS. </P><P></P><P>I want to make a rule that performs a NAT exemption for one host to any destination (this is because there is another upstream firewall that connects to the Internet, and I want the host to access it with its actualy address).</P><P></P><P>Would I use an obj-any for this as a destination?</P><P></P><P>If someone could give me a configuration example, it would be great.</P> Tue, 12 Mar 2019 02:56:06 GMT https://community.cisco.com/t5/network-security/static-nat-on-8-4-question/m-p/2344512#M310304 Colin Higgins 2019-03-12T02:56:06Z https://community.cisco.com/t5/network-security/static-nat-on-8-4-question/m-p/2344513#M310305 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I guess you could use Manual NAT to essentially configure Static Identity NAT for this single host</P><P></P><P>If the information was this</P><UL><LI>Source interface = <STRONG>LAN</STRONG></LI><LI>Destination interface = <STRONG>WAN</STRONG></LI><LI>Host IP = <STRONG>10.10.10.10</STRONG></LI></UL><P></P><P>Then the configuration could be</P><P></P><P><STRONG>object network HOST</STRONG></P><P><STRONG> host 10.10.10.10</STRONG></P><P></P><P><STRONG>nat (LAN,WAN) 1 source static HOST HOST</STRONG></P><P></P><P>Essentially what this would do is that when the host 10.10.10.10 connects to some destination host then as long as the ASAs routing table points towards WAN interface then this NAT configuration should be applied and let the packet preserve the original source address.</P><P></P><P>Its a different thing if you want to actually force all traffic from this single host (without NAT) towards any destination address through some interface that does NOT hold the default route.</P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Thu, 24 Oct 2013 20:05:19 GMT https://community.cisco.com/t5/network-security/static-nat-on-8-4-question/m-p/2344513#M310305 Jouni Forss 2013-10-24T20:05:19Z https://community.cisco.com/t5/network-security/static-nat-on-8-4-question/m-p/2344514#M310306 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>For further information:</P><H3>Configuring Identity NAT</H3><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/nat_objects.html#wp1108647">http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/nat_objects.html#wp1108647</A></P><P></P><P><SPAN __jive_emoticon_name="wink" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P></BODY></HTML> Thu, 24 Oct 2013 20:12:11 GMT https://community.cisco.com/t5/network-security/static-nat-on-8-4-question/m-p/2344514#M310306 andduart 2013-10-24T20:12:11Z https://community.cisco.com/t5/network-security/static-nat-on-8-4-question/m-p/2344515#M310307 <HTML><HEAD></HEAD><BODY><P>So I don't really need a destination field in this case? So if the internal (actual) address of the host is</P><P></P><P>192.168.108.4</P><P></P><P>I would do</P><P></P><P>object network TEST-HOST</P><P> host 192.168.108.4</P><P></P><P>nat (inside,outside) 1 source static TEST-HOST TEST-HOST</P><P></P><P>yes?</P></BODY></HTML> Thu, 24 Oct 2013 20:17:18 GMT https://community.cisco.com/t5/network-security/static-nat-on-8-4-question/m-p/2344515#M310307 Colin Higgins 2013-10-24T20:17:18Z https://community.cisco.com/t5/network-security/static-nat-on-8-4-question/m-p/2344516#M310308 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Yes, that should be it especially since you seem to configure it for destination interface <STRONG>"outside" </STRONG>which most likely holds the default route on the ASA.</P><P></P><P>You can confirm the operation with<STRONG> "packet-tracer"</STRONG>, for example</P><P></P><P><STRONG>packet-tracer input inside tcp 192.168.108.4 12345 1.1.1.1 80</STRONG></P><P></P><P>This should show you a NAT Phase (among many other) which keeps the source address unchanged.</P><P></P><P>Let us know if it worked for you. If not then we will have to look at the<STRONG> "packet-tracer"</STRONG> output closely and perhaps the configurations.</P><P></P><P>Please do remember to mark a reply as the correct answer if it answered your question.</P><P></P><P>Feel free to ask more if needed <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Thu, 24 Oct 2013 20:20:55 GMT https://community.cisco.com/t5/network-security/static-nat-on-8-4-question/m-p/2344516#M310308 Jouni Forss 2013-10-24T20:20:55Z https://community.cisco.com/t5/network-security/static-nat-on-8-4-question/m-p/2344517#M310309 <HTML><HEAD></HEAD><BODY><P>yep, that worked</P><P></P><P>thanks</P></BODY></HTML> Thu, 24 Oct 2013 20:35:09 GMT https://community.cisco.com/t5/network-security/static-nat-on-8-4-question/m-p/2344517#M310309 Colin Higgins 2013-10-24T20:35:09Z