Scribd
Upload
23 views1 page

Re: Identity NAT vs. NAT Exempt: E Security, CCSI

There are three types of Identity NAT: Dynamic, Static, and Policy based static. NAT Exemption restricts Dynamic Identity NAT to an access list. Static Identity NAT translates traffic between two specified subnets bidirectionally if allowed by interface ACLs. Policy based static NAT also translates bidirectionally between two specified subnets if allowed by a named extended ACL. NAT Exemption is similar but does not do an actual translation, instead exempting addresses that match an access list from translation.

Uploaded by

Hai Pham Van
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
23 views1 page

Re: Identity NAT vs. NAT Exempt: E Security, CCSI

There are three types of Identity NAT: Dynamic, Static, and Policy based static. NAT Exemption restricts Dynamic Identity NAT to an access list. Static Identity NAT translates traffic between two specified subnets bidirectionally if allowed by interface ACLs. Policy based static NAT also translates bidirectionally between two specified subnets if allowed by a named extended ACL. NAT Exemption is similar but does not do an actual translation, instead exempting addresses that match an access list from translation.

Uploaded by

Hai Pham Van
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 1

E Security, CCSI

5,663 posts since Jul 18, 2008

1. Oct 23, 2010 8:47 AM (in response to Steve (aka Hollywood0728))


Re: Identity NAT vs. NAT Exempt Identity NAT falls into three categories. Dynamic Identity NAT, Static Identity NAT, and Policy based static Identity NAT. NAT Exemption is basically a similar config to Dynamic Identity NAT, but it restricts it to an access-list. Dynamic Identity NAT: Only connections from the inside to elsewhere are translated. ciscoasa(config)# nat (inside) 0 192.168.0.0 255.255.255.0 Static Identity NAT: If the interface ACL's allow the traffic, this can be used in either direction. Traffic to/from 192.168.0.0/24 (on the inside) is not translated ciscoasa(config)# static (inside,outside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

Static Identity Policy NAT: Also, if the interface ACL's allow the traffic, connections between 192.168.0.0 and 172.31.0.0 can use this translation in either direction. ciscoasa(config)# access-list NAT ex permit ip 192.168.0.0 255.255.255.0 172.31.0.0 255.255.255.0 ciscoasa(config)# static (inside,outside) 192.168.0.0 access-list NAT Think of the above as the following-static (inside,outside) 192.168.0.0 192.168.0.0 if going to 172.31.0.0/24 NAT Exemption: Again, if ACL allows it, connections between 192.168.0.0 and 172.31.0.0 can use this translation in either direction. Actually it's not a translation, but a "non" translation. ciscoasa(config)# access-list NAT_EXEMPT extended permit ip 192.168.0.0 255.255.255.0 172.31.0.0 255.255.255.0 ciscoasa(config)# nat (inside) 0 access-list NAT_EXEMPT Think of the above as disable translaton of 192.168.0.0 to any interface if going to 172.31.0.0/24 ............................ a more relevant configuration might be-ciscoasa(config)# static (inside,dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

You might also like