07-11-2013 10:58 AM - edited 03-11-2019 07:11 PM
Hi Experts,
Quick question, if i want to do NAT exception for ALL ip traffic on an interface in version 8.4(2). what should i do?
just want to double check it... would it work or should i use another method: nat (interface,any) source static any any
Thanks,
Soroush.
Solved! Go to Solution.
07-11-2013 11:50 AM
Hi,
I guess you already asked something like this on the previous thread.
If you situation is still so that NO HOSTS need to be NATed through the firewall then you can simply LEAVE OUT ALL NAT configurations.
Generally when people need to exempt hosts from NAT they usually only have certain destination networks for which this should apply. (VPN connections). So you usually define destination parameters for the NAT configuration also.
Then you might naturally have public subnets behind the firewall that dont need NAT. As long as no other NAT rule matches these public subnets as a source then you can simply leave out all NAT configuration.
From what I tested I wouldnt probably suggest the above NAT configuration even though I mentioned it in the other thread. It might possibly even cause problems.
I would suggest the other format which basically is that you define the source networks behind that interface under an "object-group network" and then configure the NAT rule
object-group network NETWORKS
network-object
network-object
nat (interface,any) source static NETWORKS NETWORKS
Pretty hard to say more than that when dont have exact picture of the situation.
- Jouni
07-11-2013 11:50 AM
Hi,
I guess you already asked something like this on the previous thread.
If you situation is still so that NO HOSTS need to be NATed through the firewall then you can simply LEAVE OUT ALL NAT configurations.
Generally when people need to exempt hosts from NAT they usually only have certain destination networks for which this should apply. (VPN connections). So you usually define destination parameters for the NAT configuration also.
Then you might naturally have public subnets behind the firewall that dont need NAT. As long as no other NAT rule matches these public subnets as a source then you can simply leave out all NAT configuration.
From what I tested I wouldnt probably suggest the above NAT configuration even though I mentioned it in the other thread. It might possibly even cause problems.
I would suggest the other format which basically is that you define the source networks behind that interface under an "object-group network" and then configure the NAT rule
object-group network NETWORKS
network-object
network-object
nat (interface,any) source static NETWORKS NETWORKS
Pretty hard to say more than that when dont have exact picture of the situation.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide