08-01-2013 05:22 AM - edited 03-11-2019 07:19 PM
Hello
Most of my experience was with Pix, then we got a few ASA 5505 pre- IOS 8.3 so we still used the NAT0 access list for site to site VPN.
I am having trouble understanding the Twice NAT / Identity NAT and cant see how to use it with an access-list NAT 0.
Basic setup, single source LAN 10.x.0.0, I want all traffic dynamic NAT using specified IP which I have already setup but neet to exempt the source IP from NAT when its bound for one of my other 10.x.0.0 sites and use NAT for internet traffic. Any help is much appreciated, this new change is somewhat confusing.
Solved! Go to Solution.
08-01-2013 06:09 AM
Well, that is really up to you. If you are OK with all subnets within the 10.0.0.0/8 range not being NATed then go for it. Though I have experienced that NAT can act a bit strange if you use the same network group for both source and destination in the NAT statement. So if you experience the same then create another network object with the same 10.0.0.0/8 range and use that as the destination and things should be all good.
08-01-2013 05:46 AM
What you want is NAT Exempt. You would need to do something like the following:
object network LAN
subnet 10.x.0.0 255.255.0.0
object network OTHER_SITES
subnet 10.x.0.0 255.255.0.0
nat (inside,outside) source static LAN LAN destination static OTHER_SITES OTHER_SITES
08-01-2013 05:49 AM
Thanks Marius,
Thats what I got out of the documentation I found.
I just could not believe you cant specify destination static as access list like in the old NAT0 days.
nat (inside,outside) source static LAN LAN destination static access-list Nat0
Would it be a security issue to open a whole subnet.
object network OTHER_SITES
subnet 10.0.0.0 255.0.0.0
08-01-2013 05:54 AM
There are some big changes between 8.0 and 8.3 and higher, especially when it comes to NAT. We are now required to create object groups instead of ACLs.
08-01-2013 06:00 AM
ok, so if I had to exempt nat for the following, would I do an ojbect group or
object network OTHER_SITES
subnet 10.0.0.0 255.0.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.5.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.6.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.12.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.15.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.16.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.17.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.18.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.19.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.21.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.22.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.24.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.25.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.28.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.27.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.26.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.5.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.6.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.12.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.15.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.16.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.17.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.18.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.19.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.21.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.22.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.24.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.25.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.28.0.0 255.255.0.0
access-list nat0 extended permit ip 10.31.0.0 255.255.0.0 10.27.0.0 255.255.0.0
etc
08-01-2013 06:09 AM
Well, that is really up to you. If you are OK with all subnets within the 10.0.0.0/8 range not being NATed then go for it. Though I have experienced that NAT can act a bit strange if you use the same network group for both source and destination in the NAT statement. So if you experience the same then create another network object with the same 10.0.0.0/8 range and use that as the destination and things should be all good.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide