Why do I have to create a NAT exempte between interfaces on ASA

Unanswered Question
Oct 19th, 2008
User Badges:


Why do I have to create a NAT exempt between interfaces when I want traffic to pass from one interface like the inside to save another interface?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ray_stone Sun, 10/19/2008 - 03:42
User Badges:

Hi, I wud know something here, are both interfaces using different Network Subnets? If it's right then you have only three option to make the communication between them that is 1) by exemption the traffic between network which is configured on different Interfaces on FW 2) Using PAT and 3)last one is using Natting.

abinjola Sun, 10/19/2008 - 04:45
User Badges:
  • Cisco Employee,

Nat Exempt is used when you dont wish to hide/nat your source address from the other end , this scenario is generally used when you want to pass traffic between two private interfaces where even private addresses are routable and you wish to preserve the source header as it is, now there are two types of nat (inside) 0

Nat 0 has two affects

1. nat (inside) 0 access-list 101 This works exaclty the same way as static, except bypasses NAT. It does not require the connection to be initiated from the Higher Security Inteface before the host on the Lower Security interface can create a connection to the host on the Higher Security level interface

2. nat (inside) 0 This bypasses NAT, but requires the host on the Higher Security interface to first initiate a connection to the host on the Lower Security interface before the host on the Lower Security interface can initiate a connection.

hope it answers !

husycisco Sun, 10/19/2008 - 05:18
User Badges:
  • Gold, 750 points or more

Hello Andy,

"Why do I have to create a NAT exempt between interfaces"

The main reason is, the firewall architecture is kept different than a router. The extra security provided by NAT (hiding real source) is set as a default in Cisco firewalls. This is usually the first thing that R&S pros say "What is going on?" when they configure a firewall for the first time. If you believe that this NAT obligation does not add values to your Security, you can simply disable it with "no nat-control" command. Or use exempt nat as abinjola explained


Farrukh Haroon Sun, 10/19/2008 - 22:57
User Badges:
  • Red, 2250 points or more

It depends on the setting of nat-control on your firewall. By default there is no nat-control in version 7.x and above. Which means as long as your ACLs are correct, the traffic will flow through (NO need for the old NAT exemption crap). However if you want extra security you can enable 'nat-control'. This will give the old 6.x functionality, i.e.:

highsec>>lowsec Dynamic NAT required, ACL not required.

lowsec>>highsec Static NAT and ACL required.

Else you need to Exempt/Bypass NAT.

You can check the current mode by entering:

show run nat-control



whiteford Mon, 10/20/2008 - 07:05
User Badges:


My ASA is on 8.0(3). I always need to use NAT exempts for example, inside to DMZ (webservers).

My output

# sh run nat-control


husycisco Mon, 10/20/2008 - 07:30
User Badges:
  • Gold, 750 points or more

If you dont want to use NAT exempts, simply issue "no nat-control" , a "clear xlate" command may be necessary after issuing no nat-control

whiteford Mon, 10/20/2008 - 07:53
User Badges:

What is xlate?

Could this free up memory issues too? I'm currently using 65% (512mb)?


husycisco Mon, 10/20/2008 - 07:59
User Badges:
  • Gold, 750 points or more

means current NAT translations. I made a suggestion about memory usage in your other topic.


This Discussion