hi , If i understand if the question is to configure NAT for inside network when browsing internet we have to configure exception for global network assuming global network is 6.6.0.0 and inside network is 10.1.1.0
regards ________________________________________ De : Piotr Matusiak [[email protected]] Date d'envoi : mercredi 28 décembre 2011 20:38 À : n.issam Cc : [email protected] Objet : Re: [OSL | CCIE_Security] Nat configuration This is not correct! You cannot use DENY in NAT Exemption. Actually you must use PERMIT to subject IPs to be NAT exempt. For example, to exempt local user from network 10.1.1.0/24 from NATting you must use: access-list NO-NAT per 10.1.1.0 255.255.255.0 6.6.0.0 255.255.0.0 nat (i) 0 access-list NO-NAT then for example nat (i) 1 0 0 global (o) 1 interface Given the above configuration, hosts from inside network going to 6.6.0.0/16<http://6.6.0.0/16> will NOT be translated. Assuming you have no NAT-Control enabled, this will do the trick. Regards, Piotr 2011/12/28 n.issam <[email protected]<mailto:[email protected]>> Hi all , I need to now if we told as to configure NAT on ASA for inside user when browsing internet we have to exempt global network from nat for exemple : global network is 6.6.0.0/24<http://6.6.0.0/24> configuration of nat access-list nat deny ip any 6.6.0.0 255.255.0.0 access-list nat permit ip any any nat (i) 1 access-list nat global (o) 1 interface If this configuration is correct or we have to exempt also rfc 1918 from nat BR _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
