Re: Static NAT

ccoutts · ‎07-20-2005

Hi,

Please can someone clarify something for me:

If I have a general identity NAT statement for a network e.g.

static (inside,outside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0

Can I use the following static NAT statement with an access-list to NAT only certain hosts to the outside interface address, i.e.

static (inside,outside) interface access-list TRANSLATE

access-list TRANSLATE permit tcp host 172.16.10.20 host X.X.X.X

Where X.X.X.X is a host on the Internet.

I know this could be done with NAT rather than statics, but my existing identity NAT statement is taking precendence.

Thanks,

Charles

vasthorvak · ‎07-20-2005

yes you could do this it is called policy nat.

From the looks of what you have here your best bet would be NAT exemption and get rid of the identity nat statements. Just remember for the nat exemption to take place you need to do a clear xlate so exisiting traffic will start using it.

Nat exemption is an access-list applied to a nat0 statement and has the highest precedence. So it will override your current static statement. An added advantage would be it will not use mem or cpu since it bypasses the translations altogether.

fedrodri · ‎07-23-2005

The only problem I see with doing NAT exemption (nat 0 access-list) is that given the original identity NAT that he has it would require him to do something like this:

access-list nonat permit ip 172.16.10.0 255.255.255.0 any

nat (inside) 0 access-list nonat

This will take precedence over the static policy NAT that he wants to do for an specific destination. If he would like to by-pass NAT for only specific destinations, then that would be fine.

This is the way I see it.

Best regards,

Federico Rodriguez

ccoutts · ‎07-24-2005

Thanks all for your replies. I have got round it by taking out the summarised static for the network, and re-applying the statics missing out the host I want to be able to NAT to the outside interface address.