cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
708
Views
6
Helpful
9
Replies

Creating a NAT exemption between an ASA and a Cisco router

KMNRuser
Level 1
Level 1

Forum,

I have been tasked with creating a NAT exemption for one of our vlans/networks.

I know we used to use a "NONAT" rule back in the legacy pix days.. yes i am dating myself a bit.

I am not sure how to tackle this on our ASA which is a model 5516 running version

 

 

9 Replies 9

@KMNRuser ASA NAT exemption rule example:-

object network INSIDE
 subnet 192.168.10.0 255.255.255.0
object network REMOTE
 subnet 10.1.1.0 255.255.255.0
nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static REMOTE REMOTE

amend object and nameif's to fit your needs.

Rob,

Thanks for  your response.

I am wondering about the router side.

I am thinking it would be on the router side where i also need to make a configuration that would keep that network from being translated.

The network in question is 10.200.1.49 255.255.255.240.  The configuration on the router for the tunnel back to the Firewall is:

interface Tunnel11
ip address 10.12.200.166 255.255.255.252
tunnel source Loopback0
tunnel mode ipsec ipv4
tunnel destination 10.2.4.100
tunnel protection ipsec profile SCADA_PRI

and the only NAT statement i see on the router at all is:

"ip nat inside source list Overload interface GigabitEthernet0/0/0 overload"

I am not sure how to write the statement to exclude the network from the NAT.

Thanks again,

KMNRUser

@KMNRuser on the router side, configure the NAT ACL with a new ACE to deny traffic between the local networks and the remote VPN networks. This traffic will not be subjected to NAT translation. This ACE must be above the existing ACE that identifies (permits) traffic to be translated.

Rob,

Your response makes sense, but for the life of me I am unable to find the existing NAT ACL on the router.

That being said, there are several ACL's on the router.  But none jump out with a description of NAT..

I know there has to be one as we have a working tunnel..

Here are the ACL's on the box:

ip access-list standard Member-Routes

 10 permit 192.168.150.62

 20 permit 10.200.1.48 0.0.0.15

 

ip access-list standard R_Access

 10 permit 65.222.174.0 0.0.0.255

 20 permit 65.222.216.216 0.0.0.7

 30 permit 65.199.14.16 0.0.0.15

 40 permit 209.10.79.64 0.0.0.63

 50 permit 24.101.151.16 0.0.0.7

 60 permit 24.101.151.24 0.0.0.7

 70 permit 192.168.1.0 0.0.0.255

 80 deny   any

 

ip access-list extended CAP-FILTER

 10 permit ip host 10.200.1.51 host 10.12.3.101

 20 permit ip host 10.12.3.101 host 10.200.1.51

ip access-list extended CAP-FILTER2

 10 permit ip host 192.168.150.62 host 10.2.4.100

 20 permit ip host 10.2.4.100 host 192.168.150.62

ip access-list extended Overload

 10 permit ip 10.200.1.48 0.0.0.15 any

ip access-list extended 100

 10 permit ip 172.17.10.4 0.0.0.3 172.17.10.0 0.0.0.3

ip access-list extended 110

 10 permit ip 10.200.1.48 0.0.0.15 192.168.1.0 0.0.0.255

 20 permit ip 10.200.1.48 0.0.0.15 10.1.1.0 0.0.0.255

 30 permit ip 10.200.1.48 0.0.0.15 192.168.3.0 0.0.0.255

 40 permit ip 10.200.1.48 0.0.0.15 192.168.7.0 0.0.0.255

 50 permit ip 10.200.1.48 0.0.0.15 10.254.254.0 0.0.0.255

 60 permit ip 10.200.1.48 0.0.0.15 192.168.176.0 0.0.0.255

 70 permit ip host 192.168.150.62 192.168.1.0 0.0.0.255

 

ip access-list extended 120

 10 permit ip 10.200.1.48 0.0.0.15 10.2.1.0 0.0.0.255

 20 permit ip 10.200.1.48 0.0.0.15 10.2.3.0 0.0.0.255

 30 permit ip 10.200.1.48 0.0.0.15 10.2.251.0 0.0.0.255

 40 permit ip host 192.168.150.62 10.2.1.0 0.0.0.255

 50 permit ip host 192.168.150.62 host 10.2.4.100

 60 permit ip host 192.168.150.62 host 10.12.254.146

ip access-list extended 130

 10 permit ip host 192.168.150.62 10.11.3.0 0.0.0.255

 20 permit ip 10.200.1.48 0.0.0.15 10.11.3.0 0.0.0.255

 30 permit ip 10.200.1.48 0.0.0.15 10.13.3.0 0.0.0.255

ip access-list extended 140

 10 permit ip host 10.200.1.51 host 10.12.3.101

 20 permit ip host 10.200.1.51 host 10.12.3.102

 30 permit ip host 10.200.1.51 host 10.12.11.104

 40 permit ip host 10.200.1.52 host 10.12.3.101

 50 permit ip host 10.200.1.52 host 10.12.3.102

 60 permit ip host 10.200.1.52 host 10.12.11.104

 70 permit ip host 10.200.1.49 host 10.12.3.101

 80 permit ip host 10.200.1.49 host 10.12.3.102

 90 permit ip host 10.200.1.49 host 10.12.11.104

Could it be one of these?

 

@KMNRuser it looks to be called Overload. So an an ACE number #5 to deny the traffic from local networks and remote networks.

"ip nat inside source list Overload interface GigabitEthernet0/0/0 overload

ip access-list extended Overload
 10 permit ip 10.200.1.48 0.0.0.15 any

 

If you use tunnel then you don't need any NONAT in Asa and in router except NONAT for tunnel head which is 

Nonat host 10.12.200.166 host 10.12.200.x

Because traffic will pass encapsulation inside tunnel head. 

I went to command line on the router in question.  Is this router IOS apparently there is not a "nonat" command..

ODEC-Cheriton-RTR# conf t
Enter configuration commands, one per line. End with CNTL/Z.
ODEC-Cheriton-RTR(config)#nonat ?
% Unrecognized command
ODEC-Cheriton-RTR(config)#nonat ?
% Unrecognized command

 

perhaps I am missing what you are trying to indicate?..thx

@KMNRuser there is no "nonat" command, you define what to nat using a "pemit" in the NAT ACL and you define what not to nat using a "deny" in the NAT ACL on the router, which is above the permit ACE.

 @Rob Ingram answer you.

There is no command nonat.

I write my post to explain for which you need nonat in router and asa.

Review Cisco Networking for a $25 gift card