Issue of NAT...

Hi Experts,

Quick question, if I want to do NAT exception for ALL ip traffic on an interface in version 8.4 (2). What should I do?

I just want to check it again... would it work or do I have to use another method: nat (interface, all) static source a whole

Thank you




I guess you already asked something like that on the previous thread.

If you situation is still for no. HOSTS must be translated through the firewall then you can simply configurations to LET OUT all THE NAT.

Usually when people need hosts exempted from NAT they don't usually have some networks of destination for which it should apply. (VPN connections). If you set parameters of destination for the NAT configuration also.

You might naturally public subnets behind the firewall without NAT. As long as no other NAT rule fits these public subnets as a source, you can simply leave out all the NAT configuration.

What I tested I would probably the NAT configuration above although I mentioned in the other thread. It might even cause problems.

I suggest the other format which is basically that you describe networks source behind this interface under a "object-group network" and then configure the NAT rule

object-group network NETWORKS



NAT (interface, no) static source of NETWORKS

Pretty hard to say more than once is not an accurate picture of the situation.


Tags: Cisco Security

Similar Questions

  • Issue of NAT for ASA running 8.4 (5)

    We have a client who is about to hang an ASA off the coast of the demilitarized zone of our firewall that is running 8.4 (5). This firewall is currently on another part of our network, and NAT will be considerably changed. Now, everything on the client firewall must be coordinated outside for the same thing as the IP model internal, for example like the old "static (inside, outside) netm" command.

    When I look at the document from Cisco for (conversion) NAT

    (, I see not all conversions between the two. This is not a "nat 0" because users need access to certain hosts inside the firewall of our customers.

    Can someone tell me please in the right direction? Thank you


    Lets assume that the following is true

    • The new ASA has 'inside' and 'outside' network/interface only
    • The ASA News should do EVERYTHING NAT 'inside' to 'outside' to any kind of situation traffic (your firewall handles this?)

    Then you can simply have the ASA with absolutely no. NAT configurations. The ASA with new software releases 8.3 and above all automatically passes all traffic through the ASA UNNATED. We use it on a single client and it works very well.

    Please let me know if the above is the case, or can't think of anything else


  • issue of nat sr520

    Hi, I have configured the sr520 using the cca.

    Basically I have a device connected to the sr 520 wireless with the IP

    The SR connects to internet via adsl and pppoe.

    I have configured NAT to the unit for a number of ports, but it does not work.

    I enclose an excerpt from the configuration, all the ideas I have a hurt

    Instead of...
    type of policy-card inspect sdm-inspect-voip-in
    class type inspect SDM-inspect-staticnat-in
    Could you do
    type of policy-card inspect sdm-inspect-voip-in
    class type inspect SDM-inspect-staticnat-in
    I think that will fix the problem.
  • Issue of NAT for VPN

    If I have a LAN or and I want NAT all of the hosts in  I really don't want to create the object for each unique host network, because it's just for a lot.  I just wanted to confirm by creating two objects then natting them must configure a NAT right one?

    network object obj - subnet


    network object obj -



    NAT (inside, outside) source static obj - obj - statick "remotely" destination "at a distance".

    Now when the remote network need access to network hosts they should just be able to access to? will map to will map to will map to

    and so on...?

    In addition,

    A test on my ASA home


    the object of the LAN network subnet

    network of the REMOTE object


    network of the LAN - NAT object subnet

    LAN LAN destination - static NAT NAT (LAN, WAN) static source REMOTE

    LAN remotely

    ASA (config) # packet - trace tcp LAN entry 1025 80

    Phase: 3

    Type: NAT


    Result: ALLOW


    LAN LAN destination - static NAT NAT (LAN, WAN) static source REMOTE

    Additional information:

    Definition of static to


    ASA (config) # packet - trace entry WAN tcp 1025 80

    Phase: 1

    Type: UN - NAT

    Subtype: static

    Result: ALLOW


    LAN LAN destination - static NAT NAT (LAN, WAN) static source REMOTE

    Additional information:

    NAT divert on the LAN of the output interface

    Untranslate to


  • NAT with Snow Leopard issue

    For the poster who will say "Google is your friend", no it is not, or I wouldn't be here.

    I tried for a while now to solve the only problem I have with Snow Leopard Server.

    MySql has fallen lion and, apparently, no one knows how to use postgrl so I installed MySql and plundered with her for a few hours to get this working.  There were various other issues with Lion.  Finally, I went to Yosemite.  Hey Apple, where is the GUI?  Then at el Capitan and finally tried Sierra (no server app at all yet).

    For me, each 'step-up' taking things and running weaker than the last.

    Welcome to Snow Leopard.  I'll stick with it for a while to come.

    The only problem I have with Snow Leopard, it's that when it restarts, the NAT will not start upward.  Other than that, it does a magnificent job to maintain my home network.  I searched high and low for an answer without success.  A few posters who have addressed this problem specifically here never got a response.

    As this seems to be about three years or more, since this question was asked and it seems that some have migrated to the SLS, I was wondering if anyone has found a solution.

    As it is now, as soon as there is a need to reboot, I just disable the NAT service, restart and turn it back on.  In the case of a failure of current (longer than the inverter can maintain) or just a random crash, I have to kill the firewall and NAT then the configuration of the gateway of new service that requires fixing the various omissions and errors and I'm good to go again.

    Any help would be greatly appreciated.

    You have posted in the forum of Snow Leopard Client.  I ask that to move this post.  In the meantime, you can see the various forums about this trick:

  • WRT160N - V3 Xbox NAT strict issue

    Xbox 360 NAT issues resolved! (WRT160N v3).

    I followed the instructions in the link above, but also at least 20 other posts, but I always get strict NAT with a unique XBOX.  I think I tried all combinations and I can't understand why my situation is somewhat different.

    Question - when I go to the STATUS, under the 'Internet connection', "IP address" tab, I see (internal address).  I read somewhere that in other words, there is an another NAT also beyond my router. What is the problem?

    This problem started when I replaced my (default) combination modem/DSL router by an old 2Wire-Homeportal-1000 s, with a brand new Motorola model 2210-02-1022 (modem only) of the AT & T store and combined with a WRT160N V3.

    I tried all combinations of UPnP enabled, redirection port, serial port triggering and DMZ range.  I used a DHCP reservation to affect my Xbox a static IP address and checked that works very well.  But even in the DMZ with UPnP off, I get strict NAT.

    I think I have to empty the Motorola + 160N and buy the current combo modem/router 2Wire AT & T, but I do not do that when I don't know for sure there will be more.

    Others seem to have great success get this cleared up.  Can someone shed light on why none of these techniques work for me?

    Thank you

    I want to thank you because after endless hours trying to remove the XBOX 360 strict NAT son - your advice finally put me on the right track.

    With my particular combination: AT & T DSL, modem Motorola + WRT160N-3 - Bridge mode did not work.  As soon as I put the modem in Bridge mode, the light of the Internet on the front does not to come.  Maybe, if I called AT & T I could find a way around it.  This setting seems to affect the PPOe connection to the router instead of the modem, but some PPOe setting I use (including by providing the user ID and password, etc.) brings me an Internet connection.

    What worked was in the modem settings.  There was no obvious parameter to enable/disable NAT, instead, it reads: "Let device LAN share Internet address?   Choice: "No, use the private IP address", "Yes, use the public IP address.  This is the power switch modem NAT and it must be set to Yes (default is NOT which is what created the 2nd NAT).

    Even in non bridged mode, with the removed modem NAT, the NAT router and other work now setting.  I could put the Xbox successfully in in the demilitarized zone.  The idea is, in the STATE of the router tab, you see now a public IP address instead of the internal address of the modem.

    WOW that was difficult and time consuming to get to this point!

  • 8.4 ASA using NAT VPN issue.


    I'm working on a customer site and they have a problem with one of their VPN (we have other works well), but it is a major issue and I think it's because we use manual NAT and NAT of the object on the same server for different things.

    Traffic between indoors and outdoors:

    It works with a specific manual NAT rule of source from the server object


    SRC-> DST>> SNAT = VPN =->> <3rd party="" fw="">

    It works with a specific using the NAT on the server of object


    SRC-> DST>> <3rd party="" fw="">= VPN =->> DNAT

    If we have the manual NAT and NAT object it does anyway.

    So the question is (as I am new to zip code 8.3 ASA) should not mix the 2 types of NAt and look at configuring it all with manual NAT or NAT object?

    With the NAT object out it does not work as it is taken in ouside NAT inside all:

    Dynamic NAT (inside, outside) source no matter what interface (this NAT to then does not match the card encryption for VPN)

    and I tried a no - nat above that, but that does not work either.

    Straws and hugging come to mind try to configure a different config. Any pointers in the right direction would be great.

    Kind regards



    I'm not sure that installing even with the explanation. Each NAT configuration I did for VPN used Section 1 Manual / NAT twice.

    You have configured the rule by default PAT that you use as Section 1 NAT rule. NAT rules in the new software are divided into 3 sections

    • Section 1: Manual / twice by NAT
    • Section 2: Purpose NAT
    • Section 3: Manual / double NAT (moved to section 3 using the setting "auto after")
    • The Sections are passed by from 1 to 2 and 3 in order to find a match.

    You should also notice that the Section 1 and Section 3 NAT has "line number" similar to the ACL parameter type. So if you have a default existing PAT rule configured for Section 1 and just add another Section 1 NAT rule without line/order number (VPN NAT) then it will just fall under the existing rule, making the new useless rule.

    I would advice against the use of the rule by default PAT as Section 1 NAT rule. Finally, this means that you be constantly watch and edit its configuration when you try to configure more specific rules.

    As a general rule 3 of the Section the PAT above default configuration would be the following

    NAT (inside, outside) after the automatic termination of dynamic source no matter what interface

    This would mean that you need to remove the old. That would mean as naturally as the change would temporarily dismantling all the current connections through "inside", "Outside" while you change the NAT rule format.

    If after this configure a NAT twice to the VPN (wihtout the setting "auto after"), it will be the rule in article 1 while the default PAT will be Section 3. Of course, Section 1 will be matched first.

    I'm not quite sure of what your setup of the foregoing have understood.

    You're just source NAT?

    I guess that the configuration you do is something like this?

    network of the LAN-REAL object subnet

    purpose of the MAPPED in LAN network subnet

    being REMOTE-LAN network subnet

    NAT static destination of LAN LAN-REAL-MAPPED Shared source (indoor, outdoor) REMOTE - LAN LAN

    If the network is supposed to be one that is connected directly to your "external" to the format interface may need to be anything else.


  • Garage double NAT &amp; DHCP - bridge Possible issue error


    So it's my game on a yacht...

    I have a MacMini (run bootcamp Windows 7 Pro), so actually it's a PC.

    • I use internal WiFi adapter of the MacMini to get my internet connection of various different Marina I could stay in
    • I then share the connection with the internal LAN adapter WiFi adapter WiFi
    • This allows me to share the WiFi port with other devices on the yacht

    Then I have an AirPort Extreme-

    • I then run an Ethernet on the MacMini Port CAT6 cable
    • on port WAN on AirPort Extreme
    • AirPort Extreme now has an internet connection (from the marina, WiFi)
    • I then activated the WiFi on AirPort Extreme to create a WiFi network on the yacht
    • and it gets its internet connection from the WAN port, which comes in turn the MacMini, which in turn comes from the Marina WiFi

    Connected to the AirPort Extreme are-

    -iPhones, iPads, MacBook, Apple TV, Smart TV, etc etc.

    -Some devices are connected using the LAN ports and AirPort Extreme cable

    -Some devices are connected by WiFi using WiFi airports

    I want DHCP to be handled by the AirPort Extreme-, mode I set as "DHCP and NAT".

    What is the problem-

    • AirPort Extreme shows an error
    • "double NAT and DHCP.
    • and suggested I turn it in Bridge mode
    • but I don't want to do that

    Any thoughts?



    Would help if we could get the exact message you see.  You will probably need to change the DHCP-range on the AirPort Extreme to a different value, and then use the option 'Ignore' the Double NAT then the airport will show a green light.

    You will have to live with the Double NAT if you want AirPort Extreme to act as a remote router that provides a private network.

  • Question about the issue of the Double NAT...

    Hah I posted for a little.  I have a question about Double NAT.  Is it wise to launch?  Reason why is that I have a WRT54G v6 router and the Zoom ADSL X 4 Modem/Router/gateway and it seems that sites take just a little more time to respond to Web sites.  I just want to know I have to turn off (i.e., go in with my router bridge Mode) or what.  Or leave it alone.  Now one last thing: that the problem of slow could actually be AT & T but I have the feeling that this isn't.

    What configuration options you have on the Zyxel to fill? What have you tried exactly?

    The basis for the first option is:

    * Bridged Zyxel.

    * Linksys configured for PPPoE with your user name and password for the internet connection.

    Instructions to fill the Zyxel are here or here depending on the exact model of Zyxel.

    The second option is:

    * Zyxel doing business as the router. I assume here that the Zyxel is on with a subnet mask

    Unplug the Linksys to the Zyxel. Connect a computer to the Linksys. Open the web interface of the WRT to

    On the main Setup page:

    1. change the LAN IP of address

    2 disable the DHCP server.

    3. save the settings. You will lose the connection. Unplug the computer.

    4. wire one of the numbered LAN ports of the Linksys for the Zyxel. Do not use the internet port of Linksys!

    Now you should be able to open the Linksys web interface to all devices connected wireless of Linksys or connected to one of the three LAN ports must have a connection to the internet via the Zyxel.

  • Xbox 360 NAT issues?

    My XBOX 360 Live connection was working fine a few days ago.  Now, I can't join parties or cats.  I was told that this is a NAT problem.  No one knows how to fix?  I have a WRT54G.

    Who is your Internet service provider... ?

    Try to reduce the MTU to 1365 and click on the 'Administration' tab and disable the UPnP option and click on save settings... Now, check the connection.

    If this does not resolve the problem then try to update firmware of the router.

  • Static Nat issue unable to resolve everything tried.


    I have a cisco asa 5515 with asa worm 9.4.1 and asdm 7.4

    I have problem with configuring static nat, I have a server inside which ip is and

    my external interface is configured with a static ip address.

    Internet works fine but cannot configure static nat...

    Here's my config running if please check and let me know what Miss me...

    Thank you

    ASA release 9.4 (1)
    ciscoasa hostname

    names of
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    interface GigabitEthernet0/2
    No nameif
    no level of security
    no ip address
    interface GigabitEthernet0/3
    No nameif
    no level of security
    no ip address
    interface GigabitEthernet0/4
    No nameif
    no level of security
    no ip address
    interface GigabitEthernet0/5
    No nameif
    no level of security
    no ip address
    interface Management0/0
    management only
    nameif management
    security-level 100
    boot system Disk0: / asa941-smp - k8.bin
    passive FTP mode
    object remote desktop service
    source eq 3389 destination eq 3389 tcp service
    Description remote desktop
    network of the RDP_SERVER object
    outside_access_in list extended access allow desktop remotely any4 object RDP_SERVER
    pager lines 24
    asdm of logging of information
    Outside 1500 MTU
    Within 1500 MTU
    management of MTU 1500
    no failover
    no monitor-service-interface module of
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 743.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    network of the RDP_SERVER object
    NAT (inside, outside) interface static service tcp 3389 3389
    NAT source auto after (indoor, outdoor) dynamic one interface
    Access-group outside_access_in in interface outside
    Route outside 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    identity of the user by default-domain LOCAL
    Enable http server
    http server idle-timeout 50
    http management

    Telnet management
    Telnet timeout 5
    SSH stricthostkeycheck
    SSH management
    SSH timeout 5
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0
    VPDN username bricks12 password * local store
    management of - dhcpd address
    enable dhcpd management
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    dynamic-access-policy-registration DfltAccessPolicy
    username, password imran guVrfhrJftPA/rQZ encrypted privilege 15
    class-map inspection_default
    match default-inspection-traffic
    type of policy-card inspect dns preset_dns_map
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    global service-policy global_policy
    context of prompt hostname
    anonymous reporting remote call

    ciscoasa #.


    Change this ACL: -.

    outside_access_in list extended access allow desktop remotely any4 object RDP_SERVER


    outside_access_in list extended access allowed object RDP_SERVER eq any4 tcp 3389

    Thank you and best regards,

    Maryse Amrodia

  • [Issue] it is possbile to use MCU 4501 on network 1:1 NAT?

    Hi, I have a very simple question.

    I'll put MCU 4501 model on a private network to connect to public IP codec devices.

    Without devices INCAPACITANTS, Turn, or VCS, it works standalone with H323 and its private IP address is set to 1:1 public IP address.

    In this position, is that it is possible another codec public IP can join the session of MCU 4501?

    In my view, would be well accepted, but given media cannot be accepted because the IP address in the payload would be signaling missmatching.

    No one knows about it? or can I use some free public STUN, ENABLE Server H323 Direct mode? or do it by myself?

    I have no senior engineer and I have to learn about it, everybody ask me when they stuck on the frame.

    This site is the last hope for me, and I'm sorry for imconvient read, it is not my mother tongue.

    Thank you.

    For H.323, IP address of the port media negotiate during the call setup is not using the IP header.

    If your compatible Firewall H.323 AGL, handful of firewall NAT IP and H.323 signal header conversion.

    However for MCU, you can consider the firewall on MCU option if you are looking for private/public double network connection.

  • NAT issue ASA 5510

    Just upgraded my ASA 5510 of 8.2 (1) 8.4 (4) 1.  Well, everything seems to work with one big exception.

    NAT statements I had previously remained in force and even seem to reproduce in some cases.

    Now, my question is I've set up a DMZ (security 50) interface and requiring a few servers to connect to the inside interface (Security 100).  I created the necessary NAT statements within the ASDM to allow the DMZ servers to connect to a single inside the server.  However, all the servers in the DMZ can still ping and connect to ALL inside servers.

    An easy way to limit it?  I try to limit the number of servers on the internal network that can access the demilitarized zone, but it seems that the DMZ has free rein at the present time.

    Am happy to post my configs. I opened a case of TAC, but this firewall is still so new, the assistance contract has not yet been addressed by Cisco.

    Thanks in advance.

    I'll look when get home, but it is a quick answer.

    If is DNZ and is inside

    ! - can only accommodate DMZ host centimeters inside the network
    dmz_access_in ip host access list permit
    ! - deny everthing else inside the network
    dmz_access_in list access deny ip
    ! - allow access to internet of the DNZ
    dmz_access_in ip access list allow any

    Samuel Petrescu

  • Design site to Site VPN w/NAT traversal issue

    Hi, I have a number of site to site VPN that end on a PIX. I intend to migrate these VPN to a router that sits on a demilitarized zone connected to the PIX. Before doing that I'm going to set up a private network new virtual to end on the router but I also need than VPNS that end on the PIX to be not affected.

    If I configure NAT traversal on the PIX, affected my other VPN?

    Thanks in advance


    Hi Dom,

    Why do you want to configure NAT-Traversal on PIX, if you wish to terminate your VPN router (which is on the DMZ).

    Do you do any NAT on PIX thru the router?

    If you want to configure NAT-Traversal, it must be configured on the end (on the router in your case) devices.


    When a user with Cisco client or Cisco router behind NAT wants to connect to another device (such as PIX, ASA, or router) NAT - T must be configured on the machine (which will be the PIX or ASA)

    Hope that helps.

    * Please indicate the post

  • ASA Configuration of VPN Site to Site - NAT issues


    I am responsible to configure a VPN connection from site to site to a business partner in which I want to firstly NAT to my internal IP to a public IP address and then send it through the tunnel, and vice versa when they try to access my servers I want to get to them through the external IP address.  Here's what I think I do, but I was wondering what were the thoughts of the community.

    All of the IP addresses represented below are fictitious.

    Internal servers Public IP address     

    Local peer IP:

    Distance from peer IP:

    Local network:

    Remote network:

    From my understanding, NAT occur before being sent to a tunnel, or to the internet, etc, so the configuration that I think I need is the following:

    NAT (inside) 0 access-list sheep

    NAT (inside) 2

    NAT (inside) 3

    NAT (inside) 4

    Global 2 (outside)

    overall 3 (outside)

    Global 4 (outside)

    IP allow Access-list extended sheep (do I still need this since coordinated to a public IP address still?)

    access-list s2s client scope ip allow

    Route outside

    card crypto off peers set 1

    Crypto card outside 1 correspondence address s2s-customer

    [... rest of the configuration failed..]

    That look / her right? If this isn't the case, please advise.

    Thank you.


    PAT (nat/global) will take care of outgoing and static traffic will take care of incoming traffic.

    You can create political NAT as well to handle this traffic.


Maybe you are looking for

  • HP 15-n096sa hard drive enclosure

    I have recently buy a hp from ebay and they send me winout hard drive. I buy a hard drive, but the problem is that I don't have a shopping cart. Where can I find a shopping cart of 15-n096sa Hp

  • Manipulation of table in LabVIEW

    Hello I'm doing a LabVIEW software in order to keep the flies. I would to manipulate tables, but I am not able to do, it's too complicated for me. To explain it, I thought that the best way to make an example in excel, but I can confirm that I work i

  • HP OfficeJet Pro 8600 - Scan to computer

    Hello I recently bought a HP OfficeJet Pro 8600. Installation and configuration was successful. However, every minute or two, I get a notification of ball on the Windows task bar that says "Scan to computer do not enabled." I assume that this occurs

  • C4780 wireless problem

    I created my C4780 last week and it worked fine without thread for a few days, until he came all of a sudden it has been disconnected. It worked fine in USB mode, but I wanted it to work wireless so I uninstalled everything and did the installation p

  • Card driver Wifi HP Pavilion 15-n002sk moved (8.1 to Windows 64 - bit)

    Hello world I've already installed Windows 8.1 64 bit on my laptop and the card Wifi is not already installed. I tried to download the Wifi card driver and I found 3 drivers: MediaTek (Ralink) 802.11 (WLAN) wireless LAN adapter http://h10025.www1.HP.