Please follow example.- - - -

Scott Quinn · ‎02-19-2015

We are in the process of moving from an ASA-5505 to an ASA-5512X, and in the process we're moving from ASA v8.2 to the newer version.

On 8.2 and earlier you needed to have nat-exempt statements for traffic crossing firewall divisions even if it wasn't going through the NAT/PAT (in our case we had a couple of subnets in the 192.168.x.x space at different security levels that were not NATted, and PAT occurring when packets were routed to the Internet).

There are several howtos on how to do NAT-exempt on the newer 8.3+ ASAs, but I haven't found a definitive answer for if it is necessary in our situation (i.e. routing/firewall from 192.168.1.x to 192.168.3.x). Is it?

rizwanr74 · ‎02-19-2015

Please follow example.

- - - - - - - - -- - - - - - - - - - - - - - - - - - - - - -

8.2 version

access-list EXEMPT permit ip 10.1.2.0 255.255.255.0 10.10.255.0 255.255.255.0

nat (inside) 0 access-list EXEMPT
nat (dmz) 0 access-list EXEMPT

- - - - - - - - -- - - - - - - - - - - - - - - - - - - - - -

8.3(2) through 8.4(1):

object network obj-10.1.2.0
subnet 10.1.2.0 255.255.255.0

object network obj-10.10.255.0
subnet 10.10.255.0 255.255.255.0

nat (inside,outside) source static obj-10.1.2.0 obj-10.1.2.0 destination static obj-10.10.255.0 obj-10.10.255.0
nat (dmz,outside) source static obj-10.1.2.0 obj-10.1.2.0 destination static obj-10.10.255.0 obj-10.10.255.0

Hope this helps.

Thanks

Rizwan Rafeek

NAT-exempt necessary on ASA 8.3+?