I think I've just found the answer: NO!
From:
NAT
Associate a network with a pool of global IP addresses.
access-list
Lets you identify local traffic for network address translation (NAT) by specifying the local and destination addresses (or ports). This feature is known as policy NAT.
Note Even though NAT exemption
Code:
[b](nat 0 access-list)[/b]
uses an access list, this function is not the same as policy NAT. NAT exemption does not use ports in the access list.
You can only include
permit statements in the access list.
Also note:
The ACL must have only permit statements. Unlike policy NAT, the PIX Firewall ignores any port setting in your ACL command statement and so NAT exemption cannot be used to permit or deny traffic on a per-port basis.
This is also very interesting:
Order of NAT Commands Used to Match Local Addresses
The firewall matches local traffic to NAT commands in the following order:
1.
nat 0 access-list (NAT exemption)—In order, until the first match. For example, you could have overlapping local/destination addresses in multiple nat commands, but only the first command is matched.
2.
static (static NAT)—In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.
3.
static {tcp | udp} (static PAT)—In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.
4.
nat nat_id access-list (policy NAT)—In order, until the first match. For example, you could have overlapping local/destination ports and addresses in multiple nat commands, but only the first command is matched.
5.
nat (regular NAT)—Best match. The order of the NAT commands does not matter. The nat statement that best matches the local traffic is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you also create a statement to translate only 10.1.1.1, when 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the local traffic best.
If you configure multiple global statements on the same NAT ID, the global statements are used in this order:
1. No global if using nat 0 (identity NAT).
2. Dynamic NAT global.
3. PAT global.
-------------------
So there's the answer
NO you cannot use DENY in your NO-NAT ACL.
Now I'm a step closer to finding the answer to my problem.
I've found another way NOT to solve it.
I want to permit ALL (except the mail server) local LAN traffic to go down the VPN and NOT be NATTED. This works OK.
However - I want to prevent the mail-server from going down the VPN and NOT being NATTED.
I've managed the first part.
But I cannot get the don't NO NAT bit right.
As
Code:
access-list NO-NAT permit ip LAN.LAN.LAN.0 255.255.255.0 VPN.VPN.VPN.0 255.255.255.0
Will trigger everytime and LAN.LAN.LAN.MAIL will NOT be NATTED. :-(
Cheers
C.T.