07-20-2005 05:48 AM - edited 03-09-2019 11:53 AM
Hi,
Please can someone clarify something for me:
If I have a general identity NAT statement for a network e.g.
static (inside,outside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0
Can I use the following static NAT statement with an access-list to NAT only certain hosts to the outside interface address, i.e.
static (inside,outside) interface access-list TRANSLATE
access-list TRANSLATE permit tcp host 172.16.10.20 host X.X.X.X
Where X.X.X.X is a host on the Internet.
I know this could be done with NAT rather than statics, but my existing identity NAT statement is taking precendence.
Thanks,
Charles
07-20-2005 06:29 AM
yes you could do this it is called policy nat.
From the looks of what you have here your best bet would be NAT exemption and get rid of the identity nat statements. Just remember for the nat exemption to take place you need to do a clear xlate so exisiting traffic will start using it.
Nat exemption is an access-list applied to a nat0 statement and has the highest precedence. So it will override your current static statement. An added advantage would be it will not use mem or cpu since it bypasses the translations altogether.
07-23-2005 10:49 PM
The only problem I see with doing NAT exemption (nat 0 access-list) is that given the original identity NAT that he has it would require him to do something like this:
access-list nonat permit ip 172.16.10.0 255.255.255.0 any
nat (inside) 0 access-list nonat
This will take precedence over the static policy NAT that he wants to do for an specific destination. If he would like to by-pass NAT for only specific destinations, then that would be fine.
This is the way I see it.
Best regards,
Federico Rodriguez
07-24-2005 03:31 AM
Thanks all for your replies. I have got round it by taking out the summarised static for the network, and re-applying the statics missing out the host I want to be able to NAT to the outside interface address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide