Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
694
Views
0
Helpful
6
Replies

identity static NAT and PAT

esossamon
Level 1
Level 1

‎07-19-2010 08:14 PM - edited ‎03-11-2019 11:13 AM

access-list IDENT-STATIC extended permit ip object-group X object-group Y
global (outside) 9 x.x.x.x
nat (inside) 9 x.x.x.x 255.255.255.0 dns
static (inside,outside) x.x.x.0  access-list IDENT-STATIC

I have the following configuration above which works fine but an issue has come up in which I need to see if it is possible or not to work around.  Group X is an internal network of users on RFC1918 space and object-group Y is also an internal network that is on public ip's.  So basically they are identity natted if they reach any host on the Y network and are PAT'ed if they go elsewhere.  What I need to do if possible is allow all the computers in object-group x to reach one host in object-group Y without being NAT'ed.  The host they need to reach is already a part of the network in object-group Y.  Is there a way to exclude a host from being NAT'ed before this statement is processed?

Thanks

Labels:
0 Helpful
6 Replies 6

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-19-2010 08:30 PM

Hello,

You can try NAT-0 configuration.

Access-list nonat permit ip x.x.x.0 255.255.255.0 host y.y.y.a

Nat (inside) 0 access-list nonat

Hope this helps.

Regards,

NT

0 Helpful

esossamon
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-19-2010 08:37 PM

Sorry I should have said I want the hosts in network X to be NAT'ed when they are trying to reach that one host in object-group Y

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to esossamon

‎07-19-2010 11:31 PM

let y.y.y.y be the host to which when users in x access after natting

we can use variable subnetting

if you are ok to change this ip to something else

i mean all those hosts in y network which need to accessed by x without natting in one subnet say y.y.y.0 255.255.255.128 as this is the max you can go to divide them equally into 2 parts

and the host which needs the x to be natted in y.y.y.128 255.255.255.128 subnet

and then you can modify access-list and nat stements accordingly

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Jitendriya Athavale

‎07-20-2010 04:57 AM

j

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Jitendriya Athavale

‎07-20-2010 05:00 AM

forgot to mention one more thing

can you use nat exempt instead of identity nat

and in the nat exempt you can deny the traffic which needs to be natted

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to esossamon

‎07-20-2010 05:27 AM

Hello,

As Jathaval has said, with the way you have configured, it is not possible to NAT when you are accessing one specific device in the y.y.y.0 subnet. However, you could modify your configuration and use NAT-0 instead of identity NAT and make it work. You do need to remember that when you remove identity and configure NAT-0, you will loose the ability to initiate connection from y.y.y.0 side to x.x.x.0 side.

access-list nonat deny ip x.x.x.0 255.255.255.0 host y.y.y.y

access-list nonat permit ip x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0

nat (inside) 0 access-list nonat

Other option is to change the IP of y.y.y.y host as it appears to the firewall. If you have another router between the firewall and y.y.y.0 subnet, then you could configure the router such that the host y.y.y.y appears as z.z.z.z for the ASA. That makes our life simple as you do not need to make any changes to the existing configuration. Only thing will be that your x.x.x.0 users will be accessing z.z.z.z address instead of y.y.y.y address.

Hope this helps.

Regards,

NT

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card