Solved: NAT exempt rule cisco ASA 5510 ver 6.2

Nimika123 · ‎01-08-2014

Hi,

I am new to cisco routers and am trying to understnd the NAT rules

How do i interpret this NAT exempt rule what will it do ? how is it different from static and dynamic NAT rule

Action:Exempt

Interface: APOOL

Source: 192.168.30.119

destinition:10.100.23.41

Jouni Forss · ‎01-08-2014

Hi,

So as you can see the interface "APOOL" has a NAT0 configuration

nat (APOOL) 0 access-list nonat

The "access-list nonat" defines the conditions under which no NAT should be performed.

So the "access-list" output shows you the hosts/networks between which no NAT should be performed. Incase you are wondering the hitcount being 0 in the ACL then this is normal. These counters will never increase.

All the rest of the traffic from behind interface "APOOL" will match this configuration

nat (APOOL) 10 0.0.0.0 0.0.0.0

The public IP address to which the host would be translated can be listed with command

show run global 10

There might also be "static" commands that affect the hosts behind "APOOL" which you can list with

show run static | inc APOOL

or just

show run static

and going through the output

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if you still have questions.

- Jouni

View solution in original post

Jouni Forss · ‎01-08-2014

Hi,

I don't personally use ASDM myself to configure NAT at all.

To me it seems that the above tells us that traffic from 192.168.30.119 to 10.100.23.41 should not be NATed at all.

I am guessing that the interface to which the NAT0 rule/configuration is applied is called "APOOL" ? Which would mean that the host 192.168.30.119 is located behind that interface.

If you want to check the NAT configurations on the ASA through ASDM and provide us with the CLI format configuration you can go to the Tools -> Command Line Interface -menu on the ASDM

This will let you send CLI command to the ASA through ASDM

The following would be needed to get the CLI format of the NAT0/NAT Exempt configuration

show run nat

Then check the name of the ACL in the "nat (interface name) 0 access-list " command for the above interface

show access-list

With regards to your other question, NAT0 configuration is meant to bypass any other NAT configuration you have one the firewall for certain traffic. This means it bypasses Static and Dynamic type NAT/PAT configurations for the source host

Static NAT/PAT rules are usually used to configure NAT for internal servers so that they can be contacted from the external network. In those cases the NAT configuration naturally has to be Static as a certain public IP address will always have to point towards the same local IP address.

Dynamic NAT/PAT rules are usually configured for a large group of hosts so they have some IP address towards external networks. Usually you will have Dynamic PAT configuration for all your internal networks which essentially translate any internal IP address to the public IP address of your firewall. All the users will show up with this IP address on the Internet. Dynamic NAT is naturally also an option but I personally see it used very rarely. The reason is because this would require a large pool of public IP address which would be then be allocated to the internal host when accessing Internet.

Hope this helps

- Jouni

Nimika123 · ‎01-08-2014

Here are the results of the command

Result of the command: "show run nat"

nat (external) 0 access-list external_nat0_outbound

nat (APOOL) 0 access-list nonat

nat (APOOL) 10 0.0.0.0 0.0.0.0

nat (SPOOL) 0 access-list ALE_Test_nat0_outbound

nat (SPOOL) 10 0.0.0.0 0.0.0.0 dns

nat (management) 0 0.0.0.0 0.0.0.0

nat (APOOL) 0 access-list nonat

nat (APOOL) 10 0.0.0.0 0.0.0.0

nat (SPOOL) 0 access-list OSHA_Test_nat0_outbound

nat (SPOOL) 10 0.0.0.0 0.0.0.0 dns

nat (management) 0 0.0.0.0 0.0.0.0

Result of the command: "show access-list nonat"

access-list nonat; 6 elements; name hash: 0x13e041bf

access-list nonat line 1 extended permit ip 192.168.10.0 255.255.255.0 VPN_Pool 255.255.255.0 (hitcnt=0) 0xa058d964

access-list nonat line 2 extended permit ip CM_VLAN 255.255.255.0 VPN_Pool 255.255.255.0 (hitcnt=0) 0xa7c94a8c

access-list nonat line 3 extended permit ip NETMGN_VLAN 255.255.255.0 VPN_Pool 255.255.255.0 (hitcnt=0) 0xb0417336

access-list nonat line 4 extended permit ip host 192.168.30.119 host 10.100.23.41 (hitcnt=0) 0xcccc4694

access-list nonat line 5 extended permit ip host alebdev object-group DM_INLINE_NETWORK_16 0xee0d33d1

access-list nonat line 5 extended permit ip host alebdev host ALE-DIT-SLT-LAB (hitcnt=0) 0xb1311b11

access-list nonat line 5 extended permit ip host alebdev host ALE-DIT (hitcnt=0) 0x3a511dc3

Jouni Forss · ‎01-08-2014

Hi,

So as you can see the interface "APOOL" has a NAT0 configuration

nat (APOOL) 0 access-list nonat

The "access-list nonat" defines the conditions under which no NAT should be performed.

So the "access-list" output shows you the hosts/networks between which no NAT should be performed. Incase you are wondering the hitcount being 0 in the ACL then this is normal. These counters will never increase.

All the rest of the traffic from behind interface "APOOL" will match this configuration

nat (APOOL) 10 0.0.0.0 0.0.0.0

The public IP address to which the host would be translated can be listed with command

show run global 10

There might also be "static" commands that affect the hosts behind "APOOL" which you can list with

show run static | inc APOOL

or just

show run static

and going through the output

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if you still have questions.

- Jouni