Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
672
Views
0
Helpful
1
Replies

NAT question...

Go to solution
smehrnia
Level 7
Level 7

‎07-11-2013 10:58 AM - edited ‎03-11-2019 07:11 PM

Hi Experts,

Quick question, if i want to do NAT exception for ALL ip traffic on an interface in version 8.4(2). what should i do?

just want to double check it... would it work or should i use another method: nat (interface,any) source static any any          

Thanks,


Soroush.       

Hope it Helps!

Soroush.
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-11-2013 11:50 AM

Hi,

I guess you already asked something like this on the previous thread.

If you situation is still so that NO HOSTS need to be NATed through the firewall then you can simply LEAVE OUT ALL NAT configurations.

Generally when people need to exempt hosts from NAT they usually only have certain destination networks for which this should apply. (VPN connections). So you usually define destination parameters for the NAT configuration also.

Then you might naturally have public subnets behind the firewall that dont need NAT. As long as no other NAT rule matches these public subnets as a source then you can simply leave out all NAT configuration.

From what I tested I wouldnt probably suggest the above NAT configuration even though I mentioned it in the other thread. It might possibly even cause problems.

I would suggest the other format which basically is that you define the source networks behind that interface under an "object-group network" and then configure the NAT rule

object-group network NETWORKS

network-object

network-object

nat (interface,any) source static NETWORKS NETWORKS

Pretty hard to say more than that when dont have exact picture of the situation.

- Jouni

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-11-2013 11:50 AM

Hi,

I guess you already asked something like this on the previous thread.

If you situation is still so that NO HOSTS need to be NATed through the firewall then you can simply LEAVE OUT ALL NAT configurations.

Generally when people need to exempt hosts from NAT they usually only have certain destination networks for which this should apply. (VPN connections). So you usually define destination parameters for the NAT configuration also.

Then you might naturally have public subnets behind the firewall that dont need NAT. As long as no other NAT rule matches these public subnets as a source then you can simply leave out all NAT configuration.

From what I tested I wouldnt probably suggest the above NAT configuration even though I mentioned it in the other thread. It might possibly even cause problems.

I would suggest the other format which basically is that you define the source networks behind that interface under an "object-group network" and then configure the NAT rule

object-group network NETWORKS

network-object

network-object

nat (interface,any) source static NETWORKS NETWORKS

Pretty hard to say more than that when dont have exact picture of the situation.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card