Has anyone ever used DENY in their NO-NAT acl?

[captaintuba]

Has anyone ever used DENY in their NO-NAT acl?
For example:

!--- ACL to avoid Network Address Translation (NAT) on the IPSec packets

access-list 100 [b]deny[/b] ip host 10.2.2.12 10.1.1.0 255.255.255.0 
access-list 100 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list 100 permit ip 10.2.2.0 255.255.255.0 10.3.3.0 255.255.255.0

!--- Binding ACL 100 to the NAT statement to avoid NAT on the IPSec packets

nat (inside) 0 access-list 100

I'm trying to fix a problem with a split route and VPN.
I'd like to stop a specific host (a mail server) from using the VPN and let the rest of the subnet use the VPN.

Thanks
C.T.

 

[captaintuba]

I think I've just found the answer: NO!

From:

http://www.cisco.com/en/US/products...eference_chapter09186a00801727ab.html#1032129

NAT
Associate a network with a pool of global IP addresses.
access-list
Lets you identify local traffic for network address translation (NAT) by specifying the local and destination addresses (or ports). This feature is known as policy NAT.

Note Even though NAT exemption

[b](nat 0 access-list)[/b]

uses an access list, this function is not the same as policy NAT. NAT exemption does not use ports in the access list.

You can only include permit statements in the access list.

Also note:
The ACL must have only permit statements. Unlike policy NAT, the PIX Firewall ignores any port setting in your ACL command statement and so NAT exemption cannot be used to permit or deny traffic on a per-port basis.


This is also very interesting:
Order of NAT Commands Used to Match Local Addresses
The firewall matches local traffic to NAT commands in the following order:

1. nat 0 access-list (NAT exemption)—In order, until the first match. For example, you could have overlapping local/destination addresses in multiple nat commands, but only the first command is matched.

2. static (static NAT)—In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.

3. static {tcp | udp} (static PAT)—In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.

4. nat nat_id access-list (policy NAT)—In order, until the first match. For example, you could have overlapping local/destination ports and addresses in multiple nat commands, but only the first command is matched.

5. nat (regular NAT)—Best match. The order of the NAT commands does not matter. The nat statement that best matches the local traffic is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you also create a statement to translate only 10.1.1.1, when 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the local traffic best.

If you configure multiple global statements on the same NAT ID, the global statements are used in this order:

1. No global if using nat 0 (identity NAT).

2. Dynamic NAT global.

3. PAT global.

-------------------
So there's the answer
NO you cannot use DENY in your NO-NAT ACL.

Now I'm a step closer to finding the answer to my problem.
I've found another way NOT to solve it.

I want to permit ALL (except the mail server) local LAN traffic to go down the VPN and NOT be NATTED. This works OK.
However - I want to prevent the mail-server from going down the VPN and NOT being NATTED.

I've managed the first part.
But I cannot get the don't NO NAT bit right.
As

access-list NO-NAT permit ip LAN.LAN.LAN.0 255.255.255.0 VPN.VPN.VPN.0 255.255.255.0

Will trigger everytime and LAN.LAN.LAN.MAIL will NOT be NATTED. :-(

Cheers
C.T.