I' m asked to configure translation for inside when inside network access to internet that why i am asking if i have to exempt global network for example in lab 12 task 1.5 regarding blocking java for client browsing Internet the global netwok 6.6.0.0/16 in solution was excluded
Best Regards ________________________________________ De : Piotr Matusiak [[email protected]] Date d'envoi : mercredi 28 décembre 2011 21:04 À : n.issam Cc : [email protected] Objet : Re: RE : [OSL | CCIE_Security] Nat configuration I don't get it. If you are asked to configure translation for inside, why do you want to configure NAT exemption? NAT Exempt is for traffic which must be excluded from translation. Usually used when you have NAT/PAT for internet access and in the same time you have Site-to-Site VPN tunnel terminated on the ASA and you must exclude from translation traffic between your inside and other site. Regards, Piotr 2011/12/28 n.issam <[email protected]<mailto:[email protected]>> hi , If i understand if the question is to configure NAT for inside network when browsing internet we have to configure exception for global network assuming global network is 6.6.0.0 and inside network is 10.1.1.0 regards ________________________________________ De : Piotr Matusiak [[email protected]<mailto:[email protected]>] Date d'envoi : mercredi 28 décembre 2011 20:38 À : n.issam Cc : [email protected]<mailto:[email protected]> Objet : Re: [OSL | CCIE_Security] Nat configuration This is not correct! You cannot use DENY in NAT Exemption. Actually you must use PERMIT to subject IPs to be NAT exempt. For example, to exempt local user from network 10.1.1.0/24<http://10.1.1.0/24> from NATting you must use: access-list NO-NAT per 10.1.1.0 255.255.255.0 6.6.0.0 255.255.0.0 nat (i) 0 access-list NO-NAT then for example nat (i) 1 0 0 global (o) 1 interface Given the above configuration, hosts from inside network going to 6.6.0.0/16<http://6.6.0.0/16><http://6.6.0.0/16> will NOT be translated. Assuming you have no NAT-Control enabled, this will do the trick. Regards, Piotr 2011/12/28 n.issam <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> Hi all , I need to now if we told as to configure NAT on ASA for inside user when browsing internet we have to exempt global network from nat for exemple : global network is 6.6.0.0/24<http://6.6.0.0/24><http://6.6.0.0/24> configuration of nat access-list nat deny ip any 6.6.0.0 255.255.0.0 access-list nat permit ip any any nat (i) 1 access-list nat global (o) 1 interface If this configuration is correct or we have to exempt also rfc 1918 from nat BR _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com><http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com><http://www.PlatinumPlacement.com> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
