cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
27450
Views
5
Helpful
13
Replies
Highlighted

Exempting NAT on ASA 5505 Version 9.1(1)

Hi guys,

I have been using ASDM on a "Cisco Adaptive Security Appliance Software Version 8.2(5)" for a long time and in order to route packets among the interfaces without NATting the packets, I have always been using the function "Add NAT Exempt Rule" under "Configuration -> Firewall -> NAT Rules". Everything has always been working fine.

Now I am trying to use ASDM on a "Cisco Adaptive Security Appliance Software Version 9.1(1)" and I cannot find how to do the same operation: the "Add NAT Exempt Rule" option is no longer available and the only way to make the traffic passing through seems to be NATting it on the OUTSIDE interface.

Can you please tell me where I am mistaking? My goal is to let the traffic passing through from the inside interface to the outside interface without being translated.

Thanks,

Dario Vanin

13 REPLIES 13
Highlighted
Beginner

Hi Dario,

In order to that, that nat 0 access-list has been replaced by nat source static [no-proxy-arp] [route-lookup]

to give you an example if you want to exempt a host with an ip address of 1.1.1.1 when accessing a host 2.2.2.2 you can configure it as:

object network HostA

host 1.1.1.1

object network HostB

host 2.2.2.2

nat (inside,outside) source static  HostA HostA destination static HostB HostB

You can just change your object to a network if you want to exempt a range.

Hope this helps.

Regards,

Alex Tulio

Highlighted

Hi Alex,

I've tried the following syntax with no luck :-(

object network lan-perth

subnet 172.16.0.0 255.255.0.0

object network lan-sydney

subnet 172.17.0.0 255.255.0.0

nat (inside,outside) source static lan-sydney lan-sydney destination static lan-perth lan-perth

nat (inside,outside) source static lan-perth lan-perth destination static lan-sydney lan-sydney

Can you please help me find out where the error is?

Thanks,

Dario

Highlighted

Anybody can help me?

Highlighted

I know this is quite old but i ran into the same problem and i think i should post my resolution as found on this this link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#pgfId-1176608

It says "NAT is not required. If you do not configure NAT for a given set of traffic, that traffic will not be translated, but will have all of the security policies applied as normal"

Highlighted

When you put this:

nat (inside,outside) source static lan-sydney lan-sydney destination static lan-perth lan-perth

nat (inside,outside) source static lan-perth lan-perth destination static lan-sydney lan-sydney

It's confusing which network is reachable through the "outside" interface and which is reachable through the "inside" interface. You will not need both. If sydney is on the inside and perth is accessed via the outside leave the first rule and remove the second, vise versa if the other way around.

Highlighted

Hi Gabriel,

Perth is connected to the Inside, Sydney to the outside and my goal is to make both the networks visible to each other.

I've tried to use one configuration at a time but they don't work... and unfortunately I can't see any error from the log viewer.

Thanks,

Dario

Highlighted

Nat exempt is no longer support by now.,
now youfirst you creat object group then you apply nat

T
See this is network



Sent from Cisco Technical Support Android App

Highlighted

Hi Gaurav,

This is what I am trying to do (see previous posts).

Thanks,

Dario

Highlighted

If Perth is connected to the inside, then you would only need:

nat (inside,outside) source static lan-perth lan-perth destination static lan-sydney lan-sydney

And pls remove as it is incorrect:

nat (inside,outside) source static lan-sydney lan-sydney destination static lan-perth lan-perth

Then "clear xlate" after making the changes. All should be good after the changes.

Try packet tracer and see where it's failing if it does fail.

Assuming that you are doing site-to-site VPN between Perth and Sydney, check if the crypto ACL contains the correct subnet as well, and it's mirror image between the 2 sites. Check if the VPN tunnel is up.

Highlighted

Hi Jennifer,

Thanks for your reply.

First of all, I have temporarily changed the subnet in Sydney to 10.0.1.0/24.

Currently I have both the routers on my desk as I am trying to configure them before going to Sydney to install them. The outside interface of the Sydney router is plugged directly to the switch of Perth (lan 172.16.0.0/16). There is no VPN in place for the moment as I am using a MPLS solution.

I have tried your solution but I have not been able to make it work. My problem is that the packet tracer shows that the packet is allowed (see http://casa.itwa.net/tmp/jennifer2.PNG) whereas if I do the same operation from a computer using a web broser, I have no luck. I've used two different computers so to be sure it was not a problem on my terminal. I don't have an antivirus installed and no firewall is enabled.

When I try to open a server in Perth (172.16.0.11) from a device behind the Sydney network (10.1.1.53), it times out and as you can see on http://casa.itwa.net/tmp/jennifer1.PNG , the ASDM doesn't show any error.

Any idea?

Thanks,

Dario Vanin

Highlighted

Assuming that you have default gateway set to be each other on the ASA, and also the server that you are trying to access doesn't have any firewall that might block inbound connection from different subnet, then i don't see why it is not working.

What about the Perth side, do you have any NAT configured, or NAT exemption configured as well, and also access-list on the outside interface to allow the traffic through, because traffic from low to high security level will need either static NAT or NAT exemption + ACL on the interface to allow it through.

Highlighted
Participant

 

   I know this is an old post, however I would like you to add this two commands in your config. and try

       - same-security-traffic permit intra-interface

 

       - same-security-traffic permit inter-interface

 

 

 

Highlighted

THANK YOU!!!!!!!!!!!!!!!!!