Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
998
Views
5
Helpful
2
Replies

ASA 7.2 - override Nat0 for single IP

shuem@trinity-health.org
Level 1
Level 1

‎03-28-2019 08:04 AM - edited ‎02-21-2020 08:59 AM

I have inherited a very old and very ugly ASA firewall policy.  I'm more of a Checkpoint firewall engineer but do have some basic Cisco knowledge and have been muddling through on the CLI as best I can until we can get this site to our corporate standards. 

That said, we have recently deployed a proxy server/content filter for internet browsing and due to the positioning of this, we have had to implement a rather large nat0 ACL so that browser traffic gets sent (via WCCP managed on the internet router, one step beyond the ASA outbound), it is not NAT'd.  While this works fine in most cases, its obviously problematic in a few situations (such as any service other than http/https still needing a public NAT for traversing the internet.  Currently this is handled via overload addresses on the Internet router).  

My critical/immediate issue right now is that I've got an entry in the nat0 ACL for a /24 internal network, but I need to essentially override that for a single IP within that /24 network range so that this one particular source IP gets a specific public NAT when traversing the internet.  

I guess what I'm looking for is some kind of ACL I can write for a specific host which would be 'more specific' and therefore take precedent over the nat0 ACL for the /24 network?  Or does the nat0 ACL 'trump all other ACLs' ?  

Any help is appreciated.  Note that upgrading this ASA code is kind of out of the question at this time. 

0 Helpful
2 Replies 2

shuem@trinity-health.org
Level 1
Level 1

‎03-28-2019 11:31 AM

Just an update - I have found the answer for this particular need. 

A 'deny' statement for the host IP above the 'permit' statement for the network excludes that one host from nat exclusion and therefore invokes the static NAT for that host.  

None of this is ideal, obviously, but its what I've got to work with for now.  

John-Finnegan
Level 1
Level 1
In response to shuem@trinity-health.org

‎03-29-2019 12:26 PM

Hey Shuem,

 

That is correct. The easiest way to bypass the NAT Exemption (NAT 0) for a single host when using network like that is to put a deny statement for the single host in the network that should still NAT.

 

I would also recommend upgrading that code version when/if you get the chance.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card