Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
35285
Views
15
Helpful
7
Replies

ASA 9.0 - how to display NAT Exemption - within the ASDM

Go to solution
Lance Wendel
Level 1
Level 1

‎08-07-2013 05:22 AM - edited ‎03-11-2019 07:22 PM

Hi all,

my customer has upgraded  to version 9.0 of the ASA, now it no longer

display the NAT exemption rules with the  ASDM, is this something not supported

with ver 9.x or are we missing something here,

NAT-Exemption was done with the proxy-arp

we have a context for our company administration and they only use

the asdm. Even I could not find the Rules in ASDM that show the

exemption. Perhaps I don't know where to look.

any help on this please

regards,

Lancellot

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-07-2013 05:33 AM

Hi,

Its true that when the NAT format change was implemented with software jump from 8.2 to 8.3 that the NAT0 / NAT Exempt type configuration didnt exists anymore.

There is no more clear indication in the configuration itself that says its a NAT0 / NAT Exempt configurations

I'm a bit hesitant to even call it such though naturally I do as it would probably cause more confusion to call it something else.

Personally I dont use ASDM to configure NAT, ACL or much else either though I guess I could show you an example on my ASA from both CLI and the ASDM

So lets presume the situation is this

  • We have a L2L VPN connection
  • Internal and External interfaces are called: LAN and WAN
  • Local network is 10.0.0.0/24
  • Remote network is 192.168.0.0/24
  • We want to configure NAT0 / NAT Exempt for this in the new NAT format

object network LOCAL

subnet 10.0.0.0 255.255.255.0

object network REMOTE

subnet 192.168.0.0 255.255.255.0

nat (LAN,WAN) source static LOCAL LOCAL destination static REMOTE REMOTE

Essentially the above configuration tells the ASA that

  • Were doing NAT between LAN and WAN interfaces
  • The network defined under LOCAL should stay unchanged when the destination is the network defined under REMOTE (which is also unchanged, as in no NAT performed for destination either)

Here is picture of the same configuration from the ASDM

Configuration -> Firewall -> NAT Rules -view (click to enlarge)

Edit -view (click to enlarge)

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

7 Replies 7

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-07-2013 05:33 AM

Hi,

Its true that when the NAT format change was implemented with software jump from 8.2 to 8.3 that the NAT0 / NAT Exempt type configuration didnt exists anymore.

There is no more clear indication in the configuration itself that says its a NAT0 / NAT Exempt configurations

I'm a bit hesitant to even call it such though naturally I do as it would probably cause more confusion to call it something else.

Personally I dont use ASDM to configure NAT, ACL or much else either though I guess I could show you an example on my ASA from both CLI and the ASDM

So lets presume the situation is this

  • We have a L2L VPN connection
  • Internal and External interfaces are called: LAN and WAN
  • Local network is 10.0.0.0/24
  • Remote network is 192.168.0.0/24
  • We want to configure NAT0 / NAT Exempt for this in the new NAT format

object network LOCAL

subnet 10.0.0.0 255.255.255.0

object network REMOTE

subnet 192.168.0.0 255.255.255.0

nat (LAN,WAN) source static LOCAL LOCAL destination static REMOTE REMOTE

Essentially the above configuration tells the ASA that

  • Were doing NAT between LAN and WAN interfaces
  • The network defined under LOCAL should stay unchanged when the destination is the network defined under REMOTE (which is also unchanged, as in no NAT performed for destination either)

Here is picture of the same configuration from the ASDM

Configuration -> Firewall -> NAT Rules -view (click to enlarge)

Edit -view (click to enlarge)

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jouni Forss

‎08-07-2013 06:21 AM

In addition to Jouni's correct reply (+5 endorsed), note that you are looking for "--Original--(S) --Original-- --Original--" in the "Action:Translated Packet" column. That has the equivalent effect of old style NAT exemption.

Go to solution
cciardo
Level 1
Level 1
In response to Marvin Rhoads

‎04-24-2014 09:18 AM

Hi Marvin,

Can you bring more detail to seeing the NAT Exempt rules in the ASDM gui with ver 9.0.
I tried adding the "-- Original --" on the "Query" NAT rules page but cannot see the old way the Exempt rules were showing. 
Thanks Chris ciardo@brit.com

0 Helpful

Go to solution
Lance Wendel
Level 1
Level 1
In response to Jouni Forss

‎08-08-2013 07:00 AM

thank you both for the quick reply

but what I am after is, this rule is not presented within the ASDM. is this meant to be or is there is a

tick or CLI I need to apply?

with kind regards

Lancellot

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Lance Wendel

‎08-08-2013 07:11 AM

Hi,

I am not sure I follow,

Are you saying that he had some old format NAT0 / NAT Exempt configurations on the firewall and booted the firewall to the new 9.0 software and there is no corresponding configuration on the firewall anymore?

I am not sure how the ASA converts the configurations but to my understanding NAT0 configurations should take the above type format. I personally manually convert old configurations so I am not that familiar with the ASAs automatic conversion of the NAT rules.

I guess the only way to confirm that you have a NAT0 configuration corresponding to the older software version in the new one would be to see both NAT configurations.

- Jouni

0 Helpful

Go to solution
Lance Wendel
Level 1
Level 1
In response to Jouni Forss

‎08-08-2013 07:15 AM

Hi JouniForss,

before when he use to log in to the ASDM he was able to see the NAt Exempt, ever since he upgraded to the v9

this doesnot get displayed on the ASDM

thanks in advance

lance

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Lance Wendel

‎08-08-2013 07:23 AM

Hi,

I don't personally use ASDM for other than monitoring usually.

I can't remember what the old ASDM view was but I would imagine it has changed considerably compared to the new one since the NAT went a complete change/overhaul between 8.2 and 8.3 softwares.

I am affraid without seeing the old and new configuration and comparing them I can't say much about this.

But one thing is for sure, the new ASDM and ASA software makes no distinction between different types of NAT (NAT0, Dynamic PAT etc). They are sorted on the ASDM according to the Section (Sections 1 - 3) and according to the Rule type (Manual NAT or Auto NAT)

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card