Solved: v8.3 and above & NAT

Bob MacLean · ‎10-05-2011

I have looked in the books I have (Cisco ASA, PIX and FWSM; ASA 8.0) and googled a good bit but can't seem to find any specific mention of how to do NAT exemption with v8.4. It seems NAT exemption (NAT 0 access-list) was deprecated. Using ASDM, there's no corresponding menu item for this that is obvious.

We have public addresses inside the ASA and want to allow in/outbound connections using these IP's without NAT. The ASA is a 5550.

varrao · ‎10-05-2011

For Static nat:

static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255

becomes:

object network obj_test

host 192.168.1.5

nat (inside,outside) source static obj_test obj-test ------------> Manual nat

or

object network obj_test

host 192.168.1.5

nat (inside,outside) static 192.168.1.5 ------------> Auto nat (this is done inside the object only)

Nat exemption:

access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any

nat(inside) 0 access-list exempt1

becomes:

object network obj_test1

subnet 192.168.1.0 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

nat (inside,any) source static obj_test1 obj_test1 destination static obj_any obj_any

I hope I was able to clear your doubts.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎10-05-2011

Hi Bob,

You can refer to this doc, this might make it simple for you:

Hope that helps.

Varun

Let me know if you have any confusions.

Thanks,
Varun Rao

varrao · ‎10-05-2011

Also, you would find good docs on the support forum as well, like these:

https://supportforums.cisco.com/docs/DOC-9129#comment-3934

Video:

https://supportforums.cisco.com/docs/DOC-12324

Thanks,

Varun

Thanks,
Varun Rao

Bob MacLean · ‎10-05-2011

The pdf is a good document to have so thanks for putting it up, but there's nothing in it on NAT exemption. I have seen all these documents and none discuss NAT exemption (NAT 0 access-list).

Specifically, how do you move from either of these 2 methods used to avoid NAT:

static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255

(note: the IP's involved here are actually public IP's, not private)

OR

access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any

nat(inside) 0 access-list exempt1

to 8.3 or higher NAT notation?

varrao · ‎10-05-2011

Then, this might be what you are looking for:

https://supportforums.cisco.com/docs/DOC-11639

Hope that helps,

Varun

Thanks,
Varun Rao

varrao · ‎10-05-2011

For Static nat:

static(inside, outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255

becomes:

object network obj_test

host 192.168.1.5

nat (inside,outside) source static obj_test obj-test ------------> Manual nat

or

object network obj_test

host 192.168.1.5

nat (inside,outside) static 192.168.1.5 ------------> Auto nat (this is done inside the object only)

Nat exemption:

access-list exempt1 permit ip 192.168.1.0 255.255.255.0 any

nat(inside) 0 access-list exempt1

becomes:

object network obj_test1

subnet 192.168.1.0 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

nat (inside,any) source static obj_test1 obj_test1 destination static obj_any obj_any

I hope I was able to clear your doubts.

Thanks,

Varun

Thanks,
Varun Rao

Bob MacLean · ‎10-05-2011

Many thanks. I have to add my vote to those who say this new syntax in 8.3+ is not great but so what, we have to adapt to it.

varrao · ‎10-05-2011

Sure, thanks I work with the 8.3 nat day in and day out and I feel it is far better than the earlier ones, it seems more logical, although yes there might be some things like creating objects but overall its a thumbs up from me.

Cheers,

Varun

Thanks,
Varun Rao