Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2306
Views
10
Helpful
9
Replies

Does deny statement in NAT0 ACL bypass NAT

bluesteel
Level 1
Level 1

‎11-30-2010 09:38 AM - edited ‎03-11-2019 12:16 PM

Hi,

I have a NAT exemption question with regards to the order of operation. If the NAT0 ACL specifies a traffic flow with a deny statement (i.e do not nat exempt) would this flow be regarded as having completed the NAT obligation imposed by the order of operations (i.e ACL, NAT, Route). In other words if this deny statement in the NATO ACL was related to a VPN would this flow be allowed over the VPN unchanged or would it have to be nat'd before?

Regards

Daniel

Labels:
0 Helpful
9 Replies 9

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-30-2010 02:11 PM

Daniel,

I cannot test it right now.. but I believe that if you have a deny statement in NAT0 ACL, it means it won't be checked against that rule.

It means, it could be checked against any other NAT rule (in order of precedence)....

However, will be a good thing to confirm.


Federico.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Federico Coto Fajardo

‎11-30-2010 02:32 PM

Actually I just did a quick test...

My PC 1.1.1.1 is going through an ASA doing PAT.

I add a line:

access-list nonat deny ip host 1.1.1.1 any

nat (inside) 0 access-list nonat

Since it's a deny statement, my PC is using the PAT address to the Internet (after clearing the xlates/conns).

Federico.

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Federico Coto Fajardo

‎11-30-2010 06:38 PM

Awesome Federico.

nat 0 acl - can contain deny lines but, cannot contain ports and protocols

policy nat acl - cannot contain deny lines but, can contain ports and protocols

-KS

0 Helpful

bluesteel
Level 1
Level 1
In response to Kureli Sankar

‎12-01-2010 01:16 AM

Thanks Federico,

I also worked it out in GNS3 last night , NAT is a nightmare lol

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to bluesteel

‎12-01-2010 05:55 AM

Daniel,

Wait till you play with NAT in version 8.3 :-)

If you found the answer helpful please consider rating the threat and mark it as answered.

Thank you.

Federico.

0 Helpful

colossus1611
Level 1
Level 1
In response to Federico Coto Fajardo

‎09-23-2015 11:18 PM

Hello,

 

Digging up an old post here, but need some assistance with Nat0 Conversion here.

 

How do you convert the deny statements in Nat0 from pre-8.3 to 8.3+ ?

So if I have

access-list nonat deny ip host 1.1.1.1 any

access-list nonat permit ip any any

nat (inside) 0 access-list nonat

 

How do I convert that to 8.3+ such that 1.1.1.1 does not get exempted if I have a permit ip any any statement at the end?

 

 

Thank you for your help. :-)

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to colossus1611

‎09-24-2015 06:31 AM

Hi,

You don't need to do anything for the same. Just check if there is any NAT statement for the 1.1.1.1 IP address and use that NAT above the Manual NAT for the permit IP any any.

Thanks and Regards,

Vibhor Amrodia

colossus1611
Level 1
Level 1
In response to Vibhor Amrodia

‎09-25-2015 12:08 AM

Thanks Vibhor. So as long as I do a any any nonat statement with specific nat rules for those deny statement on PIX, that should cover it.

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to colossus1611

‎09-25-2015 09:12 AM

Hi,

Yes , That should cover it. You can still verify using the packet tracer on the ASA device.

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Thanks and Regards,

Vibhor Amrodia

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card