Bypassing NAT
The following command uses static identity NAT for an outside address (209.165.201.15) when accessed
by the inside:
hostname(config)# static (outside,inside) 209.165.201.15 209.165.201.15 netmask
255.255.255.255
The following command statically maps an entire subnet:
hostname(config)# static (inside,dmz) 10.1.2.0 10.1.2.0 netmask 255.255.255.0
The following static identity policy NAT example shows a single real address that uses identity NAT
when accessing one destination address, and a translation when accessing another:
hostname(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224
hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224
255.255.255.224
hostname(config)# static (inside,outside) 10.1.2.27 access-list NET1
hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2
Configuring NAT Exemption
NAT exemption exempts addresses from translation and allows both real and remote hosts to originate
connections. NAT exemption lets you specify the real and destination addresses when determining the
real traffic to exempt (similar to policy NAT), so you have greater control using NAT exemption than
identity NAT. However unlike policy NAT, NAT exemption does not consider the ports in the access list.
Use static identity NAT to consider ports in the access list.
Figure 16-26
Figure 16-26
If you remove a NAT exemption configuration, existing connections that use NAT exemption are not
Note
affected. To remove these connections, enter the clear local-host command.
To configure NAT exemption, enter the following command:
hostname(config)# nat (real_interface) 0 access-list acl_name [outside] [[tcp]
tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]
Create the extended access list using the access-list extended command. (See the
Access List" section on page
not specify the real and destination ports in the access list; NAT exemption does not consider the ports.
NAT exemption also does not consider the inactive or time-range keywords; all ACEs are considered
to be active for NAT exemption configuration.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
16-36
shows a typical NAT exemption scenario.
NAT Exemption
FWSM
209.165.201.1
209.165.201.2
Inside Outside
13-6.) This access list can include both permit ACEs and deny ACEs. Do
209.165.201.1
209.165.201.2
Chapter 16
Configuring NAT
"Adding an Extended
OL-20748-01