https://community.cisco.com/t5/network-security/nat-exempt-rule/m-p/1197577#M876517 <P>Hi,</P><P></P><P>I just need someones advise on the adding a NAT exempt rle on my ASA 5520.</P><P></P><P>If I add an exempt from an IP to another IP it works, if I add a NAT exempt for a group name to a group range it won't work.</P><P></P><P>I am using the ASDM and I have created a group for a range of IP addresses and another group for some other IP ranges.</P><P></P><P>Are there any particular methods I should be following here? If I add all the exempt rules individually then they all work. </P> Mon, 11 Mar 2019 14:49:32 GMT whiteford 2019-03-11T14:49:32Z https://community.cisco.com/t5/network-security/nat-exempt-rule/m-p/1197577#M876517 <P>Hi,</P><P></P><P>I just need someones advise on the adding a NAT exempt rle on my ASA 5520.</P><P></P><P>If I add an exempt from an IP to another IP it works, if I add a NAT exempt for a group name to a group range it won't work.</P><P></P><P>I am using the ASDM and I have created a group for a range of IP addresses and another group for some other IP ranges.</P><P></P><P>Are there any particular methods I should be following here? If I add all the exempt rules individually then they all work. </P> Mon, 11 Mar 2019 14:49:32 GMT https://community.cisco.com/t5/network-security/nat-exempt-rule/m-p/1197577#M876517 whiteford 2019-03-11T14:49:32Z https://community.cisco.com/t5/network-security/nat-exempt-rule/m-p/1197578#M876518 <HTML><HEAD></HEAD><BODY><P>In the IP to IP you use static, but for a network to network you can use static but you will have to hardcode the netmask to whatever the network is, for example:</P><P></P><P>static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0</P><P></P><P>otherwise, if you do not specify the netmask it will take the default which is 255.255.255.255.</P><P></P><P>for a particular group of IP addresses, you may use policy natting or identity nat</P><P></P><P>Policy Nat:</P><P>access-list test permit ip 10.10.10.0 255.255.255.0 any</P><P>access-list test permit ip 10.20.20.0 255.255.255.0 any</P><P>access-list test permit ip 10.30.30.0 255.255.255.0 any</P><P></P><P>nat (inside) 0 access-list test</P><P></P><P></P><P>Identity NAT</P><P></P><P>nat (inside) 0 10.10.10.0 255.255.255.0</P><P>nat (inside) 0 10.20.20.0 255.255.255.0</P><P>nat (inside) 0 10.30.30.0 255.255.255.0</P><P></P><P>this should work fine...</P><P></P><P>please vote for me if it is helpful!</P><P></P></BODY></HTML> Thu, 12 Feb 2009 20:16:18 GMT https://community.cisco.com/t5/network-security/nat-exempt-rule/m-p/1197578#M876518 oabduo983 2009-02-12T20:16:18Z https://community.cisco.com/t5/network-security/nat-exempt-rule/m-p/1197579#M876520 <HTML><HEAD></HEAD><BODY><P>tHANKS FOR THE VAL INFO. lATER</P></BODY></HTML> Thu, 12 Feb 2009 21:02:53 GMT https://community.cisco.com/t5/network-security/nat-exempt-rule/m-p/1197579#M876520 sdoremus33 2009-02-12T21:02:53Z https://community.cisco.com/t5/network-security/nat-exempt-rule/m-p/1197580#M876522 <HTML><HEAD></HEAD><BODY><P>Thanks, what is the NAT Exempt used for?</P><P></P><P>For example if I have 5 IP address of servers that I didn't want to get NAT'ed between an interface (DMZ) to a network range, how would I fo this?</P><P></P><P>Example</P><P></P><P>192.168.1.1/32</P><P>192.168.1.2/32</P><P>192.168.1.3/32</P><P>192.168.1.4/32</P><P>192.168.1.5/32</P><P></P><P>Not to get NAT'ed to</P><P></P><P>172.16.0.0/16 (DMZ interface)</P><P></P><P></P></BODY></HTML> Thu, 12 Feb 2009 21:19:43 GMT https://community.cisco.com/t5/network-security/nat-exempt-rule/m-p/1197580#M876522 whiteford 2009-02-12T21:19:43Z https://community.cisco.com/t5/network-security/nat-exempt-rule/m-p/1197581#M876523 <HTML><HEAD></HEAD><BODY><P>There are a couple ways of performing this </P><P>Assuming the network range (inside)connections initiated to 172.06.0.0/16 network in the DMZ range</P><P>Nat exemption</P><P>access-list exemptrffc permit ip 192.168.1.0 255.255.255.248 172.16.0.0 255.255.0.0</P><P>nat (inside)0 access-list exempttrffc </P><P>nat (inside) 1 </P><P>global (outside) 1 interface </P><P>This will provide nat exemption for any traffic srced from 192.168.1/29 initiated to 172.16.0.0 /16</P><P>while all other inside traffic will be patted to the outside interface address </P><P>Nat exemptions are always performed first in the NAT order of operations</P><P></P></BODY></HTML> Fri, 13 Feb 2009 03:58:03 GMT https://community.cisco.com/t5/network-security/nat-exempt-rule/m-p/1197581#M876523 sdoremus33 2009-02-13T03:58:03Z https://community.cisco.com/t5/network-security/nat-exempt-rule/m-p/1197582#M876524 <HTML><HEAD></HEAD><BODY><P>One last note: With NAT exemption you can initiate both inbound or outbound connections </P></BODY></HTML> Fri, 13 Feb 2009 04:02:05 GMT https://community.cisco.com/t5/network-security/nat-exempt-rule/m-p/1197582#M876524 sdoremus33 2009-02-13T04:02:05Z https://community.cisco.com/t5/network-security/nat-exempt-rule/m-p/1197583#M876525 <HTML><HEAD></HEAD><BODY><P>Thanks for your NAT Exempt example, how would I do this for say individual IP's only to the DMZ like:</P><P></P><P>192.168.1.10</P><P>192.168.1.150</P><P>192.168.1.225</P><P></P><P>Thanks</P></BODY></HTML> Fri, 13 Feb 2009 08:28:58 GMT https://community.cisco.com/t5/network-security/nat-exempt-rule/m-p/1197583#M876525 whiteford 2009-02-13T08:28:58Z