https://community.cisco.com/t5/network-security/nat-question/m-p/2270258#M346558 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I guess you already asked something like this on the previous thread.</P><P></P><P>If you situation is still so that NO HOSTS need to be NATed through the firewall then you can simply LEAVE OUT ALL NAT configurations.</P><P></P><P>Generally when people need to exempt hosts from NAT they usually only have certain destination networks for which this should apply. (VPN connections). So you usually define destination parameters for the NAT configuration also.</P><P></P><P>Then you might naturally have public subnets behind the firewall that dont need NAT. As long as no other NAT rule matches these public subnets as a source then you can simply leave out all NAT configuration.</P><P></P><P>From what I tested I wouldnt probably suggest the above NAT configuration even though I mentioned it in the other thread. It might possibly even cause problems.</P><P></P><P>I would suggest the other format which basically is that you define the source networks behind that interface under an <STRONG>"object-group network"</STRONG> and then configure the NAT rule</P><P></P><P><STRONG>object-group network NETWORKS</STRONG></P><P><STRONG> network-object <NETWORK> <MASK></MASK></NETWORK></STRONG></P><P><STRONG> network-object <NETWORK> <MASK></MASK></NETWORK></STRONG></P><P></P><P><STRONG>nat (interface,any) source static NETWORKS NETWORKS</STRONG></P><P></P><P>Pretty hard to say more than that when dont have exact picture of the situation.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 11 Jul 2013 18:50:23 GMT Jouni Forss 2013-07-11T18:50:23Z https://community.cisco.com/t5/network-security/nat-question/m-p/2270257#M346557 <P>Hi Experts,</P><P></P><P>Quick question, if i want to do NAT exception for <STRONG>ALL ip traffic</STRONG> on an interface in version 8.4(2). what should i do?</P><P></P><P>just want to double check it... would it work or should i use another method: <STRONG>nat (<EM>interface</EM>,any) source static any any</STRONG>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P> Thanks,</P><P><BR />Soroush.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Tue, 12 Mar 2019 02:11:08 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/2270257#M346557 smehrnia 2019-03-12T02:11:08Z https://community.cisco.com/t5/network-security/nat-question/m-p/2270258#M346558 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I guess you already asked something like this on the previous thread.</P><P></P><P>If you situation is still so that NO HOSTS need to be NATed through the firewall then you can simply LEAVE OUT ALL NAT configurations.</P><P></P><P>Generally when people need to exempt hosts from NAT they usually only have certain destination networks for which this should apply. (VPN connections). So you usually define destination parameters for the NAT configuration also.</P><P></P><P>Then you might naturally have public subnets behind the firewall that dont need NAT. As long as no other NAT rule matches these public subnets as a source then you can simply leave out all NAT configuration.</P><P></P><P>From what I tested I wouldnt probably suggest the above NAT configuration even though I mentioned it in the other thread. It might possibly even cause problems.</P><P></P><P>I would suggest the other format which basically is that you define the source networks behind that interface under an <STRONG>"object-group network"</STRONG> and then configure the NAT rule</P><P></P><P><STRONG>object-group network NETWORKS</STRONG></P><P><STRONG> network-object <NETWORK> <MASK></MASK></NETWORK></STRONG></P><P><STRONG> network-object <NETWORK> <MASK></MASK></NETWORK></STRONG></P><P></P><P><STRONG>nat (interface,any) source static NETWORKS NETWORKS</STRONG></P><P></P><P>Pretty hard to say more than that when dont have exact picture of the situation.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 11 Jul 2013 18:50:23 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/2270258#M346558 Jouni Forss 2013-07-11T18:50:23Z