Configuring Nat Exemption - Cisco PIX 500 Series Configuration Manual

Chapter 17 Configuring NAT

Configuring NAT Exemption

NAT exemption exempts addresses from translation and allows both real and remote hosts to originate
connections. NAT exemption lets you specify the real and destination addresses when determining the
real traffic to exempt (similar to policy NAT), so you have greater control using NAT exemption than
identity NAT. However unlike policy NAT, NAT exemption does not consider the ports in the access list.
Use static identity NAT to consider ports in the access list.
Figure 17-26
Figure 17-26
209.165.201.1
209.165.201.2
If you remove a NAT exemption configuration, existing connections that use NAT exemption are not
Note
affected. To remove these connections, enter the clear local-host command.
To configure NAT exemption, enter the following command:
hostname(config)# nat ( real_interface ) 0 access-list acl_name [outside]
Create the extended access list using the access-list extended command (see the
Access List" section on page
not specify the real and destination ports in the access list; NAT exemption does not consider the ports.
NAT exemption also does not consider the inactive or time-range keywords; all ACEs are considered
to be active for NAT exemption configuration.
By default, this command exempts traffic from inside to outside. If you want traffic from outside to
inside to bypass NAT, then add an additional nat command and enter outside to identify the NAT
instance as outside NAT. You might want to use outside NAT exemption if you configure dynamic NAT
for the outside interface and want to exempt other traffic.
For example, to exempt an inside network when accessing any destination address, enter the following
command:
hostname(config)# access-list EXEMPT permit ip 10.1.2.0 255.255.255.0 any
hostname(config)# nat (inside) 0 access-list EXEMPT
To use dynamic outside NAT for a DMZ network, and exempt another DMZ network, enter the following
command:
hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns
hostname(config)# global (inside) 1 10.1.1.45
hostname(config)# access-list EXEMPT permit ip 10.1.3.0 255.255.255.0 any
hostname(config)# nat (dmz) 0 access-list EXEMPT
OL-12172-03
shows a typical NAT exemption scenario.
NAT Exemption
Security
Appliance
209.165.201.1
209.165.201.2
Inside Outside
16-5). This access list can include both permit ACEs and deny ACEs. Do
Cisco Security Appliance Command Line Configuration Guide
Bypassing NAT
"Adding an Extended
17-33