cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1387
Views
2
Helpful
4
Replies

ASA NAT Exempt Rule

benghock
Level 1
Level 1

Hi,

Based on the attached diagram, i want to allow network monitoring server to monitor the remote branches routers, can i configure the ASA to allow traffic from monitoring server to branches routers without perform NAT ? if not, are there any way for us to achieve the objective ?

Thanks in advance.

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Hi

Yes as long as the server IP address 2.2.2.2 is routable across your wan and is not used anywhere else this should be no problem at all.

It's not clear from your diagram what the addressing scheme is but as long as the remote sites route 2.2.2.2 back to HQ you should be fine.

HTH

Jon

I've tested the configuration with the below command, but it still not working.

nat (outside) 0 access-list outside_nat0_inbound

access-list outside_nat0_inbound extended permit ip host 2.2.2.2 host 1.1.1.1

access-list outside_nat0_inbound extended permit ip host 2.2.2.2 host 1.1.1.1

I've check the firewall log and below is the error log,

No translation group found for icmp src outside: 2.2.2.2 dst inside:1.1.1.1 (type 8, code 0)

Any ideas ?

Hi

I actually misread your diagram at first. The monitoring server is on the outside. You should not have to worry about a translation for 2.2.2.2.

If you did have to use a nat statement for every host on the outside of an ASA it woudl be very difficult to use it as an internet firewall :)

Do you have translations set up for the inside servers eg.

static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

Jon

Hi Jon,

All for the remote routers are located within "inside" network, the monitoring server is located at "outside" network. I'll test the suggested command, but the command only applicable to one single host/router, how about the rest of the remote routers ?

Thanks.

Beng Hock

Review Cisco Networking for a $25 gift card