Using Cisco ASA without NAT

grantsewell used Ask the Experts™
I'm using as ASA 5510, and for my specific purpose I need to publish a server to our corporate WAN without using NAT. I've looked for some configuration examples online, but I've been unable to locate anything adequate. Here's some information:

ASA Version 8.3(2) - NAT was changed slightly in this version, just FYI

Because you can't have overlapping networks on interfaces, I divided our external subnet like this: - Eth0/0 - Internet External Interface - Eth0/3 - Corporate WAN External Interface - Eth0/1.10, Internal Sub-Interface - Eth0/1 - Internal Interface

I assigned the IP to the Internal Interface, and assigned IP address to the server. I have an existing PAT masquerade rule which should work (and does, technically, the ASA shows no packet blocking and packet traces work fine), but it doesn't.

The PAT rule masquerades any traffic sent to the Eth0/3 interface to Other systems with traditional NAT from Eth0/1 work fine. I also created a NAT rule that made the server keep it's assigned address (, but still no connectivity. The firewall logs look fine:

6      Oct 19 2010      09:45:52        57990      53      Built outbound UDP connection 143741 for WAN_Corp: ( to DMZ_Corp: (

Routing this system over a PAT rule to the Internet on Eth0/0 works fine.

I'm confused if this is the "best practice" way to do this or not. I can't have overlapping IP ranges, but the internal addresses are not advertised on the outside interface, so I don't understand how the firewall will even receive the traffic on a response, let alone a request.

Any ideas on best practice for no NAT for a specific system?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I would normally configure access-lists to specify the traffic that I do not want natted and then reference that in a 'nat (interface) 0 access-list nonat-acl' command.  With Cisco firewalls if you don't want NAT you have 2 options.  One is NAT the traffic from itself to itself, basically you tell the ASA to route it from interface to interface and the global and local IPs are the same.  Or you specify it as a nat 0 acl and the Cisco ignores the traffic for NATing completely.

So for example:
access-list nonat-wan permit ip
access-list nonat-wan permit ip
nat (waninterface) 0 access-list nonat-wan

You'd do that for each interface, specifying the inbound traffic and the destination.  

For it to work your upstream router will need to be routing the network to the outside Internet interface of your Firewall, because you won't be using proxy arp, the firewall will just be routing the traffic.


Thanks! In that case, my NAT rules look fine, I think I'm good on that end.

Being that my upstream router is not directly managed by me, couldn't I just setup a proxy ARP on the outside CORP interface, and configure it for the IP address and MAC of my non-NATed server?

I think you're going to have to have your ISP add a route for it to work no matter how you set it up.  Your Internet IP block being on and your internal use block being on means that even if you NAT or PAT the traffic Proxy arp isn't going to work because they're not on the same network subnet.  The Internet router wouldn't be sending arp requests to the firewall for it to reply to for traffic on the networks.  Now if the internet router has a route for and pointed it to your External Internet interface of your firewall, both NATing it or not-NATing it will work.


I understand - I may not have conveyed my intentions correctly.

We'll be publishing without NAT to our corporate WAN, with specific routes already present. My no-NAT NAT rule (that sounded weird) only triggers for traffic sent to the corporate WAN interface. Any traffic to the Internet would not be able to use that IP address anyways, and so we're using the default Internet masquerade for traffic to that interface.

I added the proxy ARP and everything is working fine, life saver! Thanks again!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial