https://community.cisco.com/t5/network-security/nat-exempt-question/m-p/1445045#M662402 <HTML><HEAD></HEAD><BODY><P>The internal 172.16.34.208 can't get out to the Internet?</P><P>But you said is reachable from the Internet correct?</P><P></P><P>Is there an ACL applied to the inside interface? You can check with ''sh run access-group''</P><P></P><P>The other machines on the inside interface have Internet access as well?</P><P></P><P>Federico.</P></BODY></HTML> Thu, 01 Jul 2010 02:10:07 GMT Federico Coto Fajardo 2010-07-01T02:10:07Z https://community.cisco.com/t5/network-security/nat-exempt-question/m-p/1445042#M662337 <P>Hi,</P><P></P><P>I currently have a Static Nat for example ( web1-internal ) to ( web1-external ) - see Static Nat below !!!</P><P></P><P>Which allows external hosts to connect on a public address and then get translated to the internal address host !!</P><P></P><P>What l want to do now is permit http traffic from this internal host to outside but for some reason it is not working !!</P><P></P><P>I have tried adding a nat exempt rule using the inside host translated on the outbound interface with no luck</P><P></P><P>And also adding a access-list to the inside interface off :</P><P></P><P><STRONG>access-list inbound_inside permit tcp host web1 any eq www</STRONG></P><P></P><P>The current Static Nat rule is :</P><P></P><P><STRONG>static (inside,outside) web1-xlate web1 netmask 255.255.255.255 tcp 1000 500</STRONG></P><P></P><P></P><P>Example IP Addresses</P><P></P><P>web1 : 172.16.34.208</P><P>web1-xlate : 203.14.59.50</P><P></P><P></P><P></P><P>Let me know if you need more info or config !!!</P><P></P><P>Thanks Simon</P> Mon, 11 Mar 2019 18:05:46 GMT https://community.cisco.com/t5/network-security/nat-exempt-question/m-p/1445042#M662337 sgalloway 2019-03-11T18:05:46Z https://community.cisco.com/t5/network-security/nat-exempt-question/m-p/1445043#M662343 <HTML><HEAD></HEAD><BODY><P>Simon,</P><P></P><P>The static NAT that you mention is bidirectional.</P><P>This means that it will work for allowing inbound traffic to the public IP and outbound traffic from the server.</P><P></P><P>To allow outbound traffic nothing needs to be done because it is permitted by default.</P><P>(if you already have an ACL applied to the inside interface, then the traffic should be specified to be permitted).</P><P></P><P>To allow inbound traffic, you should explicitly allow the traffic in the ACL applied to the outside interface.</P><P></P><P>Federico.</P></BODY></HTML> Thu, 01 Jul 2010 01:42:48 GMT https://community.cisco.com/t5/network-security/nat-exempt-question/m-p/1445043#M662343 Federico Coto Fajardo 2010-07-01T01:42:48Z https://community.cisco.com/t5/network-security/nat-exempt-question/m-p/1445044#M662363 <HTML><HEAD></HEAD><BODY><P>Hi Federico,</P><P></P><P>I already have a acl on the outside interface :</P><P></P><P><STRONG>access-list inbound_outside permit tcp any host web1-xlate eq www</STRONG></P><P></P><P>This rule works fine !!</P><P></P><P>but going the other way with initiating the connection from the internal web1&nbsp; ( 172.16.34.208 ) to the outside doesn't work.</P><P></P><P>E.g l want to http to outside from web1 internally but it doesn't work ???</P><P></P><P>Any more suggestions !!</P><P></P><P>Thanks for your prompt reply - much appreciated !!</P><P></P><P>SG</P></BODY></HTML> Thu, 01 Jul 2010 02:04:41 GMT https://community.cisco.com/t5/network-security/nat-exempt-question/m-p/1445044#M662363 sgalloway 2010-07-01T02:04:41Z https://community.cisco.com/t5/network-security/nat-exempt-question/m-p/1445045#M662402 <HTML><HEAD></HEAD><BODY><P>The internal 172.16.34.208 can't get out to the Internet?</P><P>But you said is reachable from the Internet correct?</P><P></P><P>Is there an ACL applied to the inside interface? You can check with ''sh run access-group''</P><P></P><P>The other machines on the inside interface have Internet access as well?</P><P></P><P>Federico.</P></BODY></HTML> Thu, 01 Jul 2010 02:10:07 GMT https://community.cisco.com/t5/network-security/nat-exempt-question/m-p/1445045#M662402 Federico Coto Fajardo 2010-07-01T02:10:07Z https://community.cisco.com/t5/network-security/nat-exempt-question/m-p/1445046#M662419 <HTML><HEAD></HEAD><BODY><P>Hi Federico,</P><P></P><P>all sorted now ,&nbsp;&nbsp; for some reason the guys that setup this internal server forgot to put the DNS Server in the IP addressing !!!</P><P></P><P>Http traffic from this internal server is now Fine !!!</P><P></P><P>thank you so much for your time Much appreciated</P><P></P><P>SG</P></BODY></HTML> Thu, 01 Jul 2010 02:19:01 GMT https://community.cisco.com/t5/network-security/nat-exempt-question/m-p/1445046#M662419 sgalloway 2010-07-01T02:19:01Z https://community.cisco.com/t5/network-security/nat-exempt-question/m-p/1445047#M662464 <HTML><HEAD></HEAD><BODY><P>Glad to hear that <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Thank you,</P><P></P><P>Federico.</P></BODY></HTML> Thu, 01 Jul 2010 02:21:04 GMT https://community.cisco.com/t5/network-security/nat-exempt-question/m-p/1445047#M662464 Federico Coto Fajardo 2010-07-01T02:21:04Z