[AusNOG] Exemption to a NAT rule for a particular destination

Geordie Guy elomis at gmail.com
Thu May 1 14:59:24 EST 2014


Router does the tunnel and is at the edge, firewall is inside and doing the
NAT.


On Thu, May 1, 2014 at 2:49 PM, Craig Askings <craig at askings.com.au> wrote:

> Sorry you have lost me here. Is the ASA doing all the NAT + the ipsec
> tunnel or is the upstream cisco router doing NAT and the ASA doing the
> ipsec tunnel?
>
> On 1 May 2014, at 2:45 pm, Geordie Guy <elomis at gmail.com> wrote:
>
> Sorry guys, it's an ASA 5500 firewall making the decision to NAT, and
> cutting the upstream Cisco router out of making the decision to forward it
> into the tunnel.  More reading seems to reveal what I want to do is
> configure a higher priority NAT rule that NATs traffic to that destination
> by rewriting the source and destination traffic with the same original
> info, thereby cutting out the PAT for the public IP.  Does this make sense?
> (it seems to, in a weird way)
>
>
> On Thu, May 1, 2014 at 2:37 PM, Karl Auer <kauer at biplane.com.au> wrote:
>
>> On Thu, 2014-05-01 at 14:15 +1000, Geordie Guy wrote:
>> > Is there a way of exempting a particular IP
>> > address or providing some other criteria for a NAT rule?
>>
>> Almost certainly, but how to do it depends on what system you are using.
>> Tell us what you are trying to do it *with* and someone who uses that
>> system will probably be able to help.
>>
>> For MikroTik, for example, you add an "accept" rule to the srcnat chain
>> in "/ip firewall nat", limiting it to specific source or destination
>> addresses. Make sure such rules are placed before any masquerade actions
>> involving the same sources or destinations, of course.
>>
>> > PS: (*%&*$ing NAT.
>>
>> What you said.
>>
>> Regards, K.
>>
>> --
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Karl Auer (kauer at biplane.com.au)
>> http://www.biplane.com.au/kauer
>> http://twitter.com/kauer389
>>
>> GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882
>> Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140501/7f8cc66d/attachment.html>


More information about the AusNOG mailing list