Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1106
Views
5
Helpful
6
Replies

NAT Exemption Question...?

Go to solution
Hoggm
Level 1
Level 1

‎05-11-2020 07:12 PM

NAT Exemption Question...?
We have a network connected to a partner company and we NAT IP Addresses from our network to there's using Cisco Routers. I now have a requirement to allow a single IP address through the same port as the NATTed traffic without NATTing it. (We do not have overlapping IP ranges on this specific IP Address)

 

I have researched this a lot and found route-maps and ACLs appear to be the way to do this
Can anyone provide an appropriate solution or recommendation to exempt a single IP address through a NATTed port (Outside to Inside) without effected the existing traffic and set up?

 

Thanks Mark

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP
In response to Hoggm

‎05-13-2020 03:30 AM - edited ‎05-13-2020 03:36 AM

Hello Mark

 

@Hoggm wrote:

Hi Paul

Thanks for the response - I'm fully aware about the idea of NAT and yes the host address is applicable not to be natted

The destination subnet does have a route back toward this internal host address. We can PING the device from the inside network to the outside network, its just the device in the outside network cannot PING or communicate beyond the outside NATTed port on my router

 

As long as there is a valid host route towards that internal host then you dont really need to do anything else for connection from any outside host to connect to that internal host, So are you sure you dont have any other accces list or security policy negating this access?

As for the internal host, If you wish for it not to be Natted when it wants to reach externally then just negate that host from the existing nat access-list



example:
ip nat inside source list NAT interface xxx

ip access-list extended NAT
deny ip host X.X.X.Y any
permit ip X.X.X..0 0.0.0.255 any

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

6 Replies 6

Go to solution
Georg Pauwen
VIP
VIP

‎05-11-2020 11:15 PM

Hello,

 

not sure what you are after exactly, but a simple outside to inside NAT exemption would be as below:

 

access-list 1 deny host x.x.x.x

access-list 1 permit any

!

ip nat outside source list 1 pool IPPOOL

0 Helpful

Go to solution
Hoggm
Level 1
Level 1
In response to Georg Pauwen

‎05-12-2020 04:03 PM

Hi Georg

Thanks for the response - I'll test this out and will report back

Cheers

Mark

0 Helpful

Go to solution
paul driver
VIP
VIP

‎05-12-2020 04:34 AM - edited ‎05-12-2020 04:45 AM

Hello
The idea about nat is that you conserve public routable ip addressing hidden behind nonpublic routable ones, So the question first must be is this host address applicable not to be natted and if so does the destination subnet have a route back toward this internal host address.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Hoggm
Level 1
Level 1
In response to paul driver

‎05-12-2020 04:10 PM

Hi Paul

Thanks for the response - I'm fully aware about the idea of NAT and yes the host address is applicable not to be natted

The destination subnet does have a route back toward this internal host address. We can PING the device from the inside network to the outside network, its just the device in the outside network cannot PING or communicate beyond the outside NATTed port on my router

 

Regards

Mark

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Hoggm

‎05-13-2020 03:30 AM - edited ‎05-13-2020 03:36 AM

Hello Mark

 

@Hoggm wrote:

Hi Paul

Thanks for the response - I'm fully aware about the idea of NAT and yes the host address is applicable not to be natted

The destination subnet does have a route back toward this internal host address. We can PING the device from the inside network to the outside network, its just the device in the outside network cannot PING or communicate beyond the outside NATTed port on my router

 

As long as there is a valid host route towards that internal host then you dont really need to do anything else for connection from any outside host to connect to that internal host, So are you sure you dont have any other accces list or security policy negating this access?

As for the internal host, If you wish for it not to be Natted when it wants to reach externally then just negate that host from the existing nat access-list



example:
ip nat inside source list NAT interface xxx

ip access-list extended NAT
deny ip host X.X.X.Y any
permit ip X.X.X..0 0.0.0.255 any

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Hoggm
Level 1
Level 1
In response to paul driver

‎05-22-2020 03:46 AM

Thanks Paul

This fixed my issues

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card