Re: Creating a NAT exemption between an ASA and a Cisco router

KMNRuser · ‎10-18-2023

Forum,

I have been tasked with creating a NAT exemption for one of our vlans/networks.

I know we used to use a "NONAT" rule back in the legacy pix days.. yes i am dating myself a bit.

I am not sure how to tackle this on our ASA which is a model 5516 running version

Rob Ingram · ‎10-18-2023

@KMNRuser ASA NAT exemption rule example:-

object network INSIDE
 subnet 192.168.10.0 255.255.255.0
object network REMOTE
 subnet 10.1.1.0 255.255.255.0
nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static REMOTE REMOTE

amend object and nameif's to fit your needs.

KMNRuser · ‎10-19-2023

Rob,

Thanks for your response.

I am wondering about the router side.

I am thinking it would be on the router side where i also need to make a configuration that would keep that network from being translated.

The network in question is 10.200.1.49 255.255.255.240. The configuration on the router for the tunnel back to the Firewall is:

interface Tunnel11
ip address 10.12.200.166 255.255.255.252
tunnel source Loopback0
tunnel mode ipsec ipv4
tunnel destination 10.2.4.100
tunnel protection ipsec profile SCADA_PRI

and the only NAT statement i see on the router at all is:

"ip nat inside source list Overload interface GigabitEthernet0/0/0 overload"

I am not sure how to write the statement to exclude the network from the NAT.

Thanks again,

KMNRUser

Rob Ingram · ‎10-19-2023

@KMNRuser on the router side, configure the NAT ACL with a new ACE to deny traffic between the local networks and the remote VPN networks. This traffic will not be subjected to NAT translation. This ACE must be above the existing ACE that identifies (permits) traffic to be translated.

KMNRuser · ‎10-19-2023

Rob,

Your response makes sense, but for the life of me I am unable to find the existing NAT ACL on the router.

That being said, there are several ACL's on the router. But none jump out with a description of NAT..

I know there has to be one as we have a working tunnel..

Here are the ACL's on the box:

ip access-list standard Member-Routes

10 permit 192.168.150.62

20 permit 10.200.1.48 0.0.0.15

ip access-list standard R_Access

10 permit 65.222.174.0 0.0.0.255

20 permit 65.222.216.216 0.0.0.7

30 permit 65.199.14.16 0.0.0.15

40 permit 209.10.79.64 0.0.0.63

50 permit 24.101.151.16 0.0.0.7

60 permit 24.101.151.24 0.0.0.7

70 permit 192.168.1.0 0.0.0.255

80 deny any

ip access-list extended CAP-FILTER

10 permit ip host 10.200.1.51 host 10.12.3.101

20 permit ip host 10.12.3.101 host 10.200.1.51

ip access-list extended CAP-FILTER2

10 permit ip host 192.168.150.62 host 10.2.4.100

20 permit ip host 10.2.4.100 host 192.168.150.62

ip access-list extended Overload

10 permit ip 10.200.1.48 0.0.0.15 any

ip access-list extended 100

10 permit ip 172.17.10.4 0.0.0.3 172.17.10.0 0.0.0.3

ip access-list extended 110

10 permit ip 10.200.1.48 0.0.0.15 192.168.1.0 0.0.0.255

20 permit ip 10.200.1.48 0.0.0.15 10.1.1.0 0.0.0.255

30 permit ip 10.200.1.48 0.0.0.15 192.168.3.0 0.0.0.255

40 permit ip 10.200.1.48 0.0.0.15 192.168.7.0 0.0.0.255

50 permit ip 10.200.1.48 0.0.0.15 10.254.254.0 0.0.0.255

60 permit ip 10.200.1.48 0.0.0.15 192.168.176.0 0.0.0.255

70 permit ip host 192.168.150.62 192.168.1.0 0.0.0.255

ip access-list extended 120

10 permit ip 10.200.1.48 0.0.0.15 10.2.1.0 0.0.0.255

20 permit ip 10.200.1.48 0.0.0.15 10.2.3.0 0.0.0.255

30 permit ip 10.200.1.48 0.0.0.15 10.2.251.0 0.0.0.255

40 permit ip host 192.168.150.62 10.2.1.0 0.0.0.255

50 permit ip host 192.168.150.62 host 10.2.4.100

60 permit ip host 192.168.150.62 host 10.12.254.146

ip access-list extended 130

10 permit ip host 192.168.150.62 10.11.3.0 0.0.0.255

20 permit ip 10.200.1.48 0.0.0.15 10.11.3.0 0.0.0.255

30 permit ip 10.200.1.48 0.0.0.15 10.13.3.0 0.0.0.255

ip access-list extended 140

10 permit ip host 10.200.1.51 host 10.12.3.101

20 permit ip host 10.200.1.51 host 10.12.3.102

30 permit ip host 10.200.1.51 host 10.12.11.104

40 permit ip host 10.200.1.52 host 10.12.3.101

50 permit ip host 10.200.1.52 host 10.12.3.102

60 permit ip host 10.200.1.52 host 10.12.11.104

70 permit ip host 10.200.1.49 host 10.12.3.101

80 permit ip host 10.200.1.49 host 10.12.3.102

90 permit ip host 10.200.1.49 host 10.12.11.104

Could it be one of these?

Rob Ingram · ‎10-19-2023

@KMNRuser it looks to be called Overload. So an an ACE number #5 to deny the traffic from local networks and remote networks.

"ip nat inside source list Overload interface GigabitEthernet0/0/0 overload

ip access-list extended Overload
10 permit ip 10.200.1.48 0.0.0.15 any

MHM Cisco World · ‎10-19-2023

If you use tunnel then you don't need any NONAT in Asa and in router except NONAT for tunnel head which is

Nonat host 10.12.200.166 host 10.12.200.x

Because traffic will pass encapsulation inside tunnel head.

KMNRuser · ‎10-20-2023

I went to command line on the router in question. Is this router IOS apparently there is not a "nonat" command..

ODEC-Cheriton-RTR# conf t
Enter configuration commands, one per line. End with CNTL/Z.
ODEC-Cheriton-RTR(config)#nonat ?
% Unrecognized command
ODEC-Cheriton-RTR(config)#nonat ?
% Unrecognized command

perhaps I am missing what you are trying to indicate?..thx

Rob Ingram · ‎10-20-2023

@KMNRuser there is no "nonat" command, you define what to nat using a "pemit" in the NAT ACL and you define what not to nat using a "deny" in the NAT ACL on the router, which is above the permit ACE.

MHM Cisco World · ‎10-20-2023

@Rob Ingram answer you.

There is no command nonat.

I write my post to explain for which you need nonat in router and asa.