The "exclude" option
Sometimes it is desirable to exclude packets from NAT that match certain criteria. This exclusion can be accomplished by using the exclude option.
The following example shows how to use the exclude option to exclude a subset of traffic (packets coming from 192.168.0.0/24 and destined for 172.16.50.0/24 through the dp0p1p1 interface from translation. Note that rule 10 excludes certain traffic from translation and rule 20 performs a translation on the traffic that meets its filter criteria and is not excluded by rule 10.
Create SNAT rule 10.
Apply this rule to packets coming from any host on the 192.168.0.0/24 network, going to the 172.16.50.0/24 network, and egressing through the dp0p1p1 interface.
Exclude packets from NAT that match the filter criteria in this rule.
Create SNAT rule 20.
Apply this rule to packets coming from any host on the 192.168.0.0/24 network and egressing through the dp0p1p1 interface.
Use the primary IP address of the outbound interface as the translation address.
Commit the change.
Show the configuration.