cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
824
Views
0
Helpful
1
Replies

Static NAT or NAT exemption?

licenses
Level 1
Level 1

So my situation is kind of unique. I'm currently configuring an ASA5510 (ver. 8.4) to replace an OpenBSD router box. My company was originally given a /24 of public IP's.....yes it's weird. We are currenly working on eliminating the public vlan in our office. Currently half the company is using these public IPs for their computers and half are on a private vlan. We also have several servers on the public vlan. Everything is connected to a layer 3 switch that routes between these computers. When we first implement the ASA we want to leave the servers on the public vlan and have them still accessible from the outside by the same IP address. Currently the OpenBSD box just doesn't NAT the public vlan.

We were looking at 2 solutions.

1. NAT the server IPs to itself. ie. if the server has an IP of 80.80.80.2 then the nat statement would looke something like:

nat (inside,outside) 80.80.80.2 80.80.80.2

This is what we think would work best.

2. We create a nat exemption rule for that entire public vlan.

Is our theory correct that option 1 works best? Any other suggestions? We do not want to implement a DMZ because we have such sensitive data and only our web server could exist in our DMZ. My company is small....the simpler the solution, the better.

1 Reply 1

Amit Rai
Level 1
Level 1

only difference in these options are that static identity nat would create a xlate entry on the firewall however if you use nat exempt that would not create the xlate on the firewall.

Review Cisco Networking for a $25 gift card