Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
740
Views
0
Helpful
4
Replies

NAT help

mjsully
Level 1
Level 1

‎06-27-2017 11:32 AM - edited ‎03-12-2019 02:38 AM

Have an ASA5520 running 9.17 code. It currently has the following NAT statement in it:

object network obj-10.10.1.1
 nat (inside,DMZ) static 172.252.252.252

I have a need where I need this 10.10.1.1 host to be able to communicate with 2 specific hosts on the DMZ, but NOT get translated when doing so. The 2 hosts have IP's of 192.168.1.1 and 192.168.1.2. Not sure the config or type of NAT to do this nor am I sure the order of operations on which will take place first. I only want it not to translate going to the 2 hosts, the rest of the time I want it to keep getting translated to 172.252.252.252. Help appreciated. thank you

Labels:
0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎06-27-2017 10:04 PM

Hi 

You can create 2 nat exemption for that. 

Object network obj-192.168.1.1

  Host 192.168.1.1

!

Object network obj-192.168.1.2

  Host 192.168.1.2

!

nat (Inside,DMZ) source static obj-10.10.1.1 obj-10.10.1.1 destination static obj-192.168.1.1 obj-192.168.1.1 no-proxy-arp route-lookup

!

nat (Inside,DMZ) source static obj-10.10.1.1 obj-10.10.1.1 destination static obj-192.168.1.2 obj-192.168.1.2 no-proxy-arp route-lookup

hope that helps. 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

mjsully
Level 1
Level 1
In response to Francesco Molino

‎06-28-2017 07:15 AM

Thank you. That helps. One more follow up, I can do that same NAT and use a source subnet also, right? meaning if I decided I wanted everything on 10.10.1.0/24 subnet to NOT get translated when talking to 192.168.1.1 and 192.168.1.2, could I just change the statements to the following:

object network obj-10.1.1.0
 subnet 10.10.1.0 255.255.255.0

nat (Inside,DMZ) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-192.168.1.1 obj-192.168.1.1 no-proxy-arp route-lookup

nat (Inside,DMZ) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-192.168.1.2 obj-192.168.1.2 no-proxy-arp route-lookup

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to mjsully

‎06-28-2017 08:16 AM

Hi 

Yes you can.

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

B. BELHADJ
Level 4
Level 4
In response to mjsully

‎07-03-2017 05:41 AM

And this is what we call Identity NAT. Please further informations on this link: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_bypassing.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card