11-30-2010 09:38 AM - edited 03-11-2019 12:16 PM
Hi,
I have a NAT exemption question with regards to the order of operation. If the NAT0 ACL specifies a traffic flow with a deny statement (i.e do not nat exempt) would this flow be regarded as having completed the NAT obligation imposed by the order of operations (i.e ACL, NAT, Route). In other words if this deny statement in the NATO ACL was related to a VPN would this flow be allowed over the VPN unchanged or would it have to be nat'd before?
Regards
Daniel
11-30-2010 02:11 PM
Daniel,
I cannot test it right now.. but I believe that if you have a deny statement in NAT0 ACL, it means it won't be checked against that rule.
It means, it could be checked against any other NAT rule (in order of precedence)....
However, will be a good thing to confirm.
Federico.
11-30-2010 02:32 PM
Actually I just did a quick test...
My PC 1.1.1.1 is going through an ASA doing PAT.
I add a line:
access-list nonat deny ip host 1.1.1.1 any
nat (inside) 0 access-list nonat
Since it's a deny statement, my PC is using the PAT address to the Internet (after clearing the xlates/conns).
Federico.
 
					
				
		
11-30-2010 06:38 PM
Awesome Federico.
nat 0 acl - can contain deny lines but, cannot contain ports and protocols
policy nat acl - cannot contain deny lines but, can contain ports and protocols
-KS
12-01-2010 01:16 AM
Thanks Federico,
I also worked it out in GNS3 last night , NAT is a nightmare lol
12-01-2010 05:55 AM
Daniel,
Wait till you play with NAT in version 8.3 :-)
If you found the answer helpful please consider rating the threat and mark it as answered.
Thank you.
Federico.
09-23-2015 11:18 PM
Hello,
Digging up an old post here, but need some assistance with Nat0 Conversion here.
How do you convert the deny statements in Nat0 from pre-8.3 to 8.3+ ?
So if I have
access-list nonat deny ip host 1.1.1.1 any
access-list nonat permit ip any any
nat (inside) 0 access-list nonat
How do I convert that to 8.3+ such that 1.1.1.1 does not get exempted if I have a permit ip any any statement at the end?
Thank you for your help. :-)
 
					
				
		
09-24-2015 06:31 AM
Hi,
You don't need to do anything for the same. Just check if there is any NAT statement for the 1.1.1.1 IP address and use that NAT above the Manual NAT for the permit IP any any.
Thanks and Regards,
Vibhor Amrodia
09-25-2015 12:08 AM
Thanks Vibhor. So as long as I do a any any nonat statement with specific nat rules for those deny statement on PIX, that should cover it.
 
					
				
		
09-25-2015 09:12 AM
Hi,
Yes , That should cover it. You can still verify using the packet tracer on the ASA device.
https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer
Thanks and Regards,
Vibhor Amrodia
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide