https://community.cisco.com/t5/network-security/what-is-the-best-way-to-bypass-nat-on-fwsm/m-p/1764430#M533217 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply,</P><P></P><P>What is the main difference between using identity nat and disabling nat control</P><P>Is there a benefit to keeping nat control on and using the nat (outside)&nbsp; 0&nbsp; method</P></BODY></HTML> Thu, 18 Aug 2011 02:29:05 GMT rrockliff 2011-08-18T02:29:05Z https://community.cisco.com/t5/network-security/what-is-the-best-way-to-bypass-nat-on-fwsm/m-p/1764428#M533215 <P>Hi All</P><P>I want to setup my FWSM so that the outside networks can communicate with the inside networks on their real ip address and visa versa. This is not an Internet facing Firewall and only being used to filter traffic between some secure networks, all of the users, domain controllers etc will sit on the outside, the mission critical devices will sit on the inside networks</P><P></P><P>Should i disable NAT control</P><P>or create nat rules similar to bellow using identity nat </P><P></P><P>nat (inside) 0 10.1.1.0 255.255.255.0</P><P>and </P><P>nat (outside) 0 10.1.20 255.255.255.0</P><P></P><P>Thanks for any assistance</P><P>Cheers</P><P>Richard</P><P></P><P><SPAN style="color: #333333;"></SPAN></P> Mon, 11 Mar 2019 21:13:31 GMT https://community.cisco.com/t5/network-security/what-is-the-best-way-to-bypass-nat-on-fwsm/m-p/1764428#M533215 rrockliff 2019-03-11T21:13:31Z https://community.cisco.com/t5/network-security/what-is-the-best-way-to-bypass-nat-on-fwsm/m-p/1764429#M533216 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You can do both, eith disable nat-control and just allow the traffic from outside to inside through ACL's, or use nat exempt, something like this:</P><P>Lets say your source network on outside is 10.0.0.0/8 and inside is 20.1.0.0/16, then</P><P></P><P>access-list nonat permit ip 10.0.0.0 255.0.0.0 20.1.0.0 255.255.0.0</P><P></P><P>nat (outside) 0 access-list nonat</P><P></P><P>This would translate the ip into themselves, and is the correct way to do it.</P><P></P><P>Hope this helps.</P><P></P><P>Thanks,</P><P>Varun</P><P></P><P>Please rate helpful posts</P></BODY></HTML> Thu, 18 Aug 2011 02:20:47 GMT https://community.cisco.com/t5/network-security/what-is-the-best-way-to-bypass-nat-on-fwsm/m-p/1764429#M533216 varrao 2011-08-18T02:20:47Z https://community.cisco.com/t5/network-security/what-is-the-best-way-to-bypass-nat-on-fwsm/m-p/1764430#M533217 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply,</P><P></P><P>What is the main difference between using identity nat and disabling nat control</P><P>Is there a benefit to keeping nat control on and using the nat (outside)&nbsp; 0&nbsp; method</P></BODY></HTML> Thu, 18 Aug 2011 02:29:05 GMT https://community.cisco.com/t5/network-security/what-is-the-best-way-to-bypass-nat-on-fwsm/m-p/1764430#M533217 rrockliff 2011-08-18T02:29:05Z https://community.cisco.com/t5/network-security/what-is-the-best-way-to-bypass-nat-on-fwsm/m-p/1764431#M533218 <HTML><HEAD></HEAD><BODY><P>Well there is no difference, enabling nat-control and using identity nat is only helpful if you want to nat all traffic but some specific traffic or subnet need not be natted, so you use nat exempt.</P><P></P><P>Moreover nat exempt is helppful because, you can specify the destination as well, along with the source, so as in my example, if the same subnet is going to 30.0.0.0, it would need natting, so it makes things a bit flexible.</P><P></P><P>Hope this helps</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Thu, 18 Aug 2011 02:34:13 GMT https://community.cisco.com/t5/network-security/what-is-the-best-way-to-bypass-nat-on-fwsm/m-p/1764431#M533218 varrao 2011-08-18T02:34:13Z