Solved: Thanks KarstenManaged to get

Mokhalil82 · ‎05-06-2015

Hi

I want to know the commands to bypass NAT on an asa 5505 pre 8.3

I have a router at the edge that is doing natting so i want the asa to simply send the traffic without perming any natting.

Thanks

Karsten Iwen · ‎05-07-2015

First make sure that the ASA doesn't block ICMP replies (the defaults are typically ok):

clear configure icmp

Then I would troubleshoot on the router:

Dou you allow outgoing traffic on the router from the ASA outside IP?
Is the transfer-network from the ASA to the router (the network of your outside ASA IP) part of the traffic that the router is allowed to NAT?

View solution in original post

Vibhor Amrodia · ‎05-06-2015

Hi,

If you want all the traffic to be not natted , you can use this simple ASA NAT statement:-

object network obj-0.0.0.0

subnet 0 0

nat (inside,outside) static 0.0.0.0

Also , if you want only certain traffic to not be natted , you can use the Manaul NAT:-

object network obj-LAN

subnet 10.0.0.0 255.0.0.0

object network remote-subnet

subnet 172.16.0.0 255.255.0.0

nat (inside,ouside) source static obj-LAN obj-LAN destination static remote-subnet remote-subnet

This would mean that any traffic from 10.0.0.0 going to 172.16.0.0 would only be not natted.

Thanks and Regards,

Vibhor Amrodia

Mokhalil82 · ‎05-07-2015

Hi, Thanks for the responses

So the existing nat config I have is as follows, firewalls are my very weak point:

global (OUTSIDE) 10 interface
nat (INSIDE) 10 172.20.0.0 255.255.0.0

route OUTSIDE 0.0.0.0 0.0.0.0 172.20.152.2 1
route INSIDE 172.20.0.0 255.255.0.0 172.20.152.9 1

Ive included this ACL, im guessing it wont block any traffic initiated from the inside. This allows the router to connect to the snmp server for monitoring

access-list OUTSIDE_access_in extended permit ip any host 172.20.0.57

access-group OUTSIDE_access_in in interface OUTSIDE

So 172.20 being my inside network.

Am I right in saying, I do the following

no nat (INSIDE) 10 172.20.0.0 255.255.0.0

nat (INSIDE) 0

Lokking at the commands, the 0 indicates no translations. I just want to not nat anything coming through the firewall, as the router will be doing the natting.

Thanks

Karsten Iwen · ‎05-07-2015

If you don't want to do any NAT on the firewall, you can disable NAT completely:

no nat-control
clear config nat
clear config global
clear config static

~~But for that, your ASA-version shouldn't be too old.~~

Just see, that "no nat-control" was introduced in 7.0, so you probably have that.

Mokhalil82 · ‎05-07-2015

Thanks Guys

I can now ping from the internal network to external IPs, however I cannot ping external IPs from the ASA only. My ping to the internet gateway are intermittent, but I get ???? when pinging any other external IPs

I have allowed icmp to travel through the asa

Karsten Iwen · ‎05-07-2015

First make sure that the ASA doesn't block ICMP replies (the defaults are typically ok):

clear configure icmp

Then I would troubleshoot on the router:

Dou you allow outgoing traffic on the router from the ASA outside IP?
Is the transfer-network from the ASA to the router (the network of your outside ASA IP) part of the traffic that the router is allowed to NAT?

Mokhalil82 · ‎05-07-2015

Thanks Karsten

Managed to get it to work by investigating on the router. There was a static NAT statement converting a public ip to the ip address of the outside interface. Didn't see any use for it as I believe the router config was copied from another router.

Upon removing it the asa pings started working fine.

Thanks for the help

Karsten Iwen · ‎05-06-2015

You are looking for NAT Exemption.

You configure an ACL with the traffic that should not be NATted.
You use this ACL with the "nat (interface) 0" command for the interface with the higher security-level.

How to bypass NAT