cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
536
Views
0
Helpful
8
Replies

Why do I have to create a NAT exempte between interfaces on ASA

whiteford
Level 1
Level 1

Hi,

Why do I have to create a NAT exempt between interfaces when I want traffic to pass from one interface like the inside to save another interface?

8 Replies 8

ray_stone
Level 1
Level 1

Hi, I wud know something here, are both interfaces using different Network Subnets? If it's right then you have only three option to make the communication between them that is 1) by exemption the traffic between network which is configured on different Interfaces on FW 2) Using PAT and 3)last one is using Natting.

Nat Exempt is used when you dont wish to hide/nat your source address from the other end , this scenario is generally used when you want to pass traffic between two private interfaces where even private addresses are routable and you wish to preserve the source header as it is, now there are two types of nat (inside) 0

Nat 0 has two affects

1. nat (inside) 0 access-list 101 This works exaclty the same way as static, except bypasses NAT. It does not require the connection to be initiated from the Higher Security Inteface before the host on the Lower Security interface can create a connection to the host on the Higher Security level interface

2. nat (inside) 0 0.0.0.0 0.0.0.0 This bypasses NAT, but requires the host on the Higher Security interface to first initiate a connection to the host on the Lower Security interface before the host on the Lower Security interface can initiate a connection.

hope it answers !

Hello Andy,

"Why do I have to create a NAT exempt between interfaces"

The main reason is, the firewall architecture is kept different than a router. The extra security provided by NAT (hiding real source) is set as a default in Cisco firewalls. This is usually the first thing that R&S pros say "What is going on?" when they configure a firewall for the first time. If you believe that this NAT obligation does not add values to your Security, you can simply disable it with "no nat-control" command. Or use exempt nat as abinjola explained

Regards

Farrukh Haroon
VIP Alumni
VIP Alumni

It depends on the setting of nat-control on your firewall. By default there is no nat-control in version 7.x and above. Which means as long as your ACLs are correct, the traffic will flow through (NO need for the old NAT exemption crap). However if you want extra security you can enable 'nat-control'. This will give the old 6.x functionality, i.e.:

highsec>>lowsec Dynamic NAT required, ACL not required.

lowsec>>highsec Static NAT and ACL required.

Else you need to Exempt/Bypass NAT.

You can check the current mode by entering:

show run nat-control

Regards

Farrukh

Hi,

My ASA is on 8.0(3). I always need to use NAT exempts for example, inside to DMZ (webservers).

My output

# sh run nat-control

nat-control

If you dont want to use NAT exempts, simply issue "no nat-control" , a "clear xlate" command may be necessary after issuing no nat-control

What is xlate?

Could this free up memory issues too? I'm currently using 65% (512mb)?

Thanks

means current NAT translations. I made a suggestion about memory usage in your other topic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: