topic ASA 9.0 - how to display NAT Exemption - within the ASDM in Network Security

ASA 9.0 - how to display NAT Exemption - within the ASDM

Lance Wendel — Tue, 12 Mar 2019 02:22:41 GMT

Hi all,

my customer has upgraded to version 9.0 of the ASA, now it no longer

display the NAT exemption rules with the ASDM, is this something not supported

with ver 9.x or are we missing something here,

NAT-Exemption was done with the proxy-arp

we have a context for our company administration and they only use

the asdm. Even I could not find the Rules in ASDM that show the

exemption. Perhaps I don't know where to look.

any help on this please

regards,

Lancellot

Re: ASA 9.0 - how to display NAT Exemption - within the ASDM

Jouni Forss — Wed, 07 Aug 2013 12:33:44 GMT

Hi,

Its true that when the NAT format change was implemented with software jump from 8.2 to 8.3 that the NAT0 / NAT Exempt type configuration didnt exists anymore.

There is no more clear indication in the configuration itself that says its a NAT0 / NAT Exempt configurations

I'm a bit hesitant to even call it such though naturally I do as it would probably cause more confusion to call it something else.

Personally I dont use ASDM to configure NAT, ACL or much else either though I guess I could show you an example on my ASA from both CLI and the ASDM

So lets presume the situation is this

We have a L2L VPN connection
Internal and External interfaces are called: LAN and WAN
Local network is 10.0.0.0/24
Remote network is 192.168.0.0/24
We want to configure NAT0 / NAT Exempt for this in the new NAT format

object network LOCAL

subnet 10.0.0.0 255.255.255.0

object network REMOTE

subnet 192.168.0.0 255.255.255.0

nat (LAN,WAN) source static LOCAL LOCAL destination static REMOTE REMOTE

Essentially the above configuration tells the ASA that

Were doing NAT between LAN and WAN interfaces
The network defined under LOCAL should stay unchanged when the destination is the network defined under REMOTE (which is also unchanged, as in no NAT performed for destination either)

Here is picture of the same configuration from the ASDM

Configuration -> Firewall -> NAT Rules -view (click to enlarge)

Edit -view (click to enlarge)

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

ASA 9.0 - how to display NAT Exemption - within the ASDM

Marvin Rhoads — Wed, 07 Aug 2013 13:21:12 GMT

In addition to Jouni's correct reply (+5 endorsed), note that you are looking for "--Original--(S) --Original-- --Original--" in the "Action:Translated Packet" column. That has the equivalent effect of old style NAT exemption.

ASA 9.0 - how to display NAT Exemption - within the ASDM

Lance Wendel — Thu, 08 Aug 2013 14:00:04 GMT

thank you both for the quick reply

but what I am after is, this rule is not presented within the ASDM. is this meant to be or is there is a

tick or CLI I need to apply?

with kind regards

Lancellot

ASA 9.0 - how to display NAT Exemption - within the ASDM

Jouni Forss — Thu, 08 Aug 2013 14:11:48 GMT

Hi,

I am not sure I follow,

Are you saying that he had some old format NAT0 / NAT Exempt configurations on the firewall and booted the firewall to the new 9.0 software and there is no corresponding configuration on the firewall anymore?

I am not sure how the ASA converts the configurations but to my understanding NAT0 configurations should take the above type format. I personally manually convert old configurations so I am not that familiar with the ASAs automatic conversion of the NAT rules.

I guess the only way to confirm that you have a NAT0 configuration corresponding to the older software version in the new one would be to see both NAT configurations.

- Jouni

ASA 9.0 - how to display NAT Exemption - within the ASDM

Lance Wendel — Thu, 08 Aug 2013 14:15:31 GMT

Hi JouniForss,

before when he use to log in to the ASDM he was able to see the NAt Exempt, ever since he upgraded to the v9

this doesnot get displayed on the ASDM

thanks in advance

lance

ASA 9.0 - how to display NAT Exemption - within the ASDM

Jouni Forss — Thu, 08 Aug 2013 14:23:39 GMT

Hi,

I don't personally use ASDM for other than monitoring usually.

I can't remember what the old ASDM view was but I would imagine it has changed considerably compared to the new one since the NAT went a complete change/overhaul between 8.2 and 8.3 softwares.

I am affraid without seeing the old and new configuration and comparing them I can't say much about this.

But one thing is for sure, the new ASDM and ASA software makes no distinction between different types of NAT (NAT0, Dynamic PAT etc). They are sorted on the ASDM according to the Section (Sections 1 - 3) and according to the Rule type (Manual NAT or Auto NAT)

- Jouni

Hi Marvin,Can you bring more

cciardo — Thu, 24 Apr 2014 16:18:51 GMT

Hi Marvin,

Can you bring more detail to seeing the NAT Exempt rules in the ASDM gui with ver 9.0.
I tried adding the "-- Original --" on the "Query" NAT rules page but cannot see the old way the Exempt rules were showing.
Thanks Chris ciardo@brit.com