10-05-2011 08:10 AM - edited 03-11-2019 02:34 PM
I have looked in the books I have (Cisco ASA, PIX and FWSM; ASA 8.0) and googled a good bit but can't seem to find any specific mention of how to do NAT exemption with v8.4. It seems NAT exemption (NAT 0 access-list) was deprecated. Using ASDM, there's no corresponding menu item for this that is obvious.
We have public addresses inside the ASA and want to allow in/outbound connections using these IP's without NAT. The ASA is a 5550.
Solved! Go to Solution.
10-05-2011 09:13 AM
For Static nat:
static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255
becomes:
object network obj_test
host 192.168.1.5
nat (inside,outside) source static obj_test obj-test ------------> Manual nat
or
object network obj_test
host 192.168.1.5
nat (inside,outside) static 192.168.1.5 ------------> Auto nat (this is done inside the object only)
Nat exemption:
access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any
nat(inside) 0 access-list exempt1
becomes:
object network obj_test1
subnet 192.168.1.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,any) source static obj_test1 obj_test1 destination static obj_any obj_any
I hope I was able to clear your doubts.
Thanks,
Varun
10-05-2011 08:21 AM
10-05-2011 08:23 AM
Also, you would find good docs on the support forum as well, like these:
https://supportforums.cisco.com/docs/DOC-9129#comment-3934
Video:
https://supportforums.cisco.com/docs/DOC-12324
Thanks,
Varun
10-05-2011 08:54 AM
The pdf is a good document to have so thanks for putting it up, but there's nothing in it on NAT exemption. I have seen all these documents and none discuss NAT exemption (NAT 0 access-list).
Specifically, how do you move from either of these 2 methods used to avoid NAT:
static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255
(note: the IP's involved here are actually public IP's, not private)
OR
access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any
nat(inside) 0 access-list exempt1
to 8.3 or higher NAT notation?
10-05-2011 09:00 AM
Then, this might be what you are looking for:
https://supportforums.cisco.com/docs/DOC-11639
Hope that helps,
Varun
10-05-2011 09:13 AM
For Static nat:
static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255
becomes:
object network obj_test
host 192.168.1.5
nat (inside,outside) source static obj_test obj-test ------------> Manual nat
or
object network obj_test
host 192.168.1.5
nat (inside,outside) static 192.168.1.5 ------------> Auto nat (this is done inside the object only)
Nat exemption:
access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any
nat(inside) 0 access-list exempt1
becomes:
object network obj_test1
subnet 192.168.1.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,any) source static obj_test1 obj_test1 destination static obj_any obj_any
I hope I was able to clear your doubts.
Thanks,
Varun
10-05-2011 09:41 AM
Many thanks. I have to add my vote to those who say this new syntax in 8.3+ is not great but so what, we have to adapt to it.
10-05-2011 09:44 AM
Sure, thanks I work with the 8.3 nat day in and day out and I feel it is far better than the earlier ones, it seems more logical, although yes there might be some things like creating objects but overall its a thumbs up from me.
Cheers,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide