NAT execlude problem

abdelmalik abbas · ‎12-15-2014

Hi

I have issue with NATing , I have ASA 5025 x and i make static NAT for some servers and some users to access internet , also i have another branches i need to access it by my private IP , the nating to internet working fine but i try to make nat exemption to exclude the private IP from the NAT . kindly see following configuration :

object-group network obj-10.10.0.5
network-object host 10.10.0.5

object-group network public-internet
network-object host 1.1.1.1

nat (inside,outside) source static obj-10.10.0.5 public-internet

I use this line to exclude 10.0.0.0 when it try to access 10.11.0.0

nat (inside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.11.0.0 obj-10.11.0.0

thanks

Rishabh Seth · ‎12-16-2014

Probably the ordering of NAT statement is causing issue.

Instead of creating manual NAT for source NAT and NAT exempt.

Try creating object NAT for outgoing traffic and manual NAT for exemption of NAT .

The manual NAT is evaluated before object NAT.

And also ensure that the IP addresses in NAT exempt do not overlap the outgoing NAT traffic.

object nat config:

e.g. for object NAT.

object network test2
host 10.1.1.1

object network test1
host 1.1.1.1
nat (inside,outside) static test2

NAT exempt:

nat (inside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.11.0.0 obj-10.11.0.0

Thanks,

Poonam Garg · ‎12-18-2014

Hi Abbas,

Run the command "Show NAT", to check the order of NAT policy, the order in which rules are checked on your ASA.

For NAT exemption to work, your NAT exempt rule most be shown before your regular NAT rule.

If it is not, they reorder the NAT statement in the running configuration.

HTH

"Please rate useful posts."

abdelmalik abbas · ‎12-18-2014

Thaks Poonam

I will try to ordering NAT statement and check again

Regards

abdelmalik abbas · ‎12-18-2014

Thank risseth

I will try to reorder the nating