04-27-2009 08:56 AM - edited 03-11-2019 08:24 AM
Is using identity nat as compared to nat exemption merely a preference, or are there benefits to one over the other? I've changed all of my identity nats over to policy nat, but I'm not sure (other than ease of reading and it doesn't add to the xlate table) if there are any other benefits I'm not seeing.
Thanks,
John
Solved! Go to Solution.
04-27-2009 10:23 AM
John
To be honest with you i think the terminology is way too complicated.
According the doc policy NAT is where you specify TCP/UDP ports in your acl rather than just src/dst IP's.
I tend to think of in more simple terms, perhaps because i am fundamentally quite a simple person :-).
1) Dynamic NAT with or without acl's, NAT or PAT.
2) static NAT with or without acl's.
For both of the above the acl's merely define the source IP's to be Natted.
3) Policy NAT - the ability to translate the same address to multiple different IP's based on src and dst IP and TCP/UDP port.
4) NAT exemption - don't do NAT at all.
Why the docs have to confuse things with identity NAT i don't know. I actually had to look that term up !. The above works well for me altho others may take issue with it.
As for which to use. Well if you don't want to NAT then NAT exemption saves an entry in the xlate table as you say.
Jon
04-27-2009 10:00 AM
John
Just to clarify, what do you mean by policy NAT. Could you have a look at this document which covers policy NAT, identity NAT (both static and dynamic) and NAT exemption -
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml
So you may be confusing policy NAT with NAT exemption. Then again you may not and it may be that is confused :-)
Personally i use policy NAT when i want to translate the same source addresses to different addresses depending on the destination address.
Jon
04-27-2009 10:04 AM
Jon,
I was confusing them. :)
policy nat = static (inside,dmz1)...
nat exemption = nat (inside) 0 access-list..
Is that right? I decided to take all of my statics off and move over to nat exemption, but I may go back. I'm not sure what a good deciding factor of doing one over the other is.
Thanks,
John
04-27-2009 10:23 AM
John
To be honest with you i think the terminology is way too complicated.
According the doc policy NAT is where you specify TCP/UDP ports in your acl rather than just src/dst IP's.
I tend to think of in more simple terms, perhaps because i am fundamentally quite a simple person :-).
1) Dynamic NAT with or without acl's, NAT or PAT.
2) static NAT with or without acl's.
For both of the above the acl's merely define the source IP's to be Natted.
3) Policy NAT - the ability to translate the same address to multiple different IP's based on src and dst IP and TCP/UDP port.
4) NAT exemption - don't do NAT at all.
Why the docs have to confuse things with identity NAT i don't know. I actually had to look that term up !. The above works well for me altho others may take issue with it.
As for which to use. Well if you don't want to NAT then NAT exemption saves an entry in the xlate table as you say.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: