cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
665
Views
5
Helpful
3
Replies

NAT exmption for a service/port in 8.4(3)

iakinfie1
Level 1
Level 1

Hello,

I am trying to exempt a specific service, let's say http, from being NAT'd - i.e. i want everything going to 0.0.0.0 to be Dynamic PAT'd to the outside interface, but HTTP only to be passed with original source IP.

Although the manual states that NAT rules should take precedence over object NAT, i am seeing HTTP traffice get source NATd anyway.

Config snip below:

nat (inside,outside) source dynamic obj-192.168.1.0 interface service not-http not-http

!            

object network obj-192.168.1.0

nat (any,outside) dynamic interface

any ideas? the only way i could figure out how to make this work is by a very convoluted process of creating NAT rules for tcp service object with ports 1-79 and 81-65535, but then i lose the ability to NAT anyhting except UDP and TCP.

Any advice welcome!

Thanks

ilya

1 Accepted Solution

Accepted Solutions

luisroja
Level 1
Level 1

Hello Ilya,

In case that you want to exempt some traffic to be translated only when they are going to any destination on the outside using TCP port 80 (HTTP), you should remove the following rule and leave the regular PAT in there.

{no} nat (inside,outside) source dynamic obj-192.168.1.0 interface service not-http not-http

The following rule would be OK in order to translate the rest of the traffic that doesn't match with the HTTP port:

object network obj-192.168.1.0

nat (any,outside) dynamic interface

I would suggest to change the rule from "any" to "insde"; so it would look like this:

object network obj-192.168.1.0

nat (inside,outside) dynamic interface

For the NAT exemption, I would suggest you to use the following rule:

object service dest-http

service tcp destination eq 80

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 service dest-http dest-http

With that rule, what the ASA is going to understand is that it is a static rule and the object obj-192.168.1.0 is not going to be translated (since the mapped object is the same) when any on that subnet is trying to go to any address on the outside with a destination TCP port of 80 (HTTP).

Let me know if that works for you.

Thanks.

View solution in original post

3 Replies 3

luisroja
Level 1
Level 1

Hello Ilya,

In case that you want to exempt some traffic to be translated only when they are going to any destination on the outside using TCP port 80 (HTTP), you should remove the following rule and leave the regular PAT in there.

{no} nat (inside,outside) source dynamic obj-192.168.1.0 interface service not-http not-http

The following rule would be OK in order to translate the rest of the traffic that doesn't match with the HTTP port:

object network obj-192.168.1.0

nat (any,outside) dynamic interface

I would suggest to change the rule from "any" to "insde"; so it would look like this:

object network obj-192.168.1.0

nat (inside,outside) dynamic interface

For the NAT exemption, I would suggest you to use the following rule:

object service dest-http

service tcp destination eq 80

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 service dest-http dest-http

With that rule, what the ASA is going to understand is that it is a static rule and the object obj-192.168.1.0 is not going to be translated (since the mapped object is the same) when any on that subnet is trying to go to any address on the outside with a destination TCP port of 80 (HTTP).

Let me know if that works for you.

Thanks.

If you issue the show nat detail command, you should see something like this:

1 (inside) to (outside) source static obj-192.168.1.0 obj-192.168.1.0   service dest-http dest-http

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 192.168.1.0/24, Translated: 192.168.1.0/24

    Service - Origin: tcp destination eq www , Translated: tcp destination eq www

Thanks!

iakinfie1
Level 1
Level 1

Thank you, Luis!

That did the trick...

Review Cisco Networking for a $25 gift card