10-19-2008 03:08 AM - edited 03-11-2019 06:59 AM
Hi,
Why do I have to create a NAT exempt between interfaces when I want traffic to pass from one interface like the inside to save another interface?
10-19-2008 03:42 AM
Hi, I wud know something here, are both interfaces using different Network Subnets? If it's right then you have only three option to make the communication between them that is 1) by exemption the traffic between network which is configured on different Interfaces on FW 2) Using PAT and 3)last one is using Natting.
10-19-2008 04:45 AM
Nat Exempt is used when you dont wish to hide/nat your source address from the other end , this scenario is generally used when you want to pass traffic between two private interfaces where even private addresses are routable and you wish to preserve the source header as it is, now there are two types of nat (inside) 0
Nat 0 has two affects
1. nat (inside) 0 access-list 101 This works exaclty the same way as static, except bypasses NAT. It does not require the connection to be initiated from the Higher Security Inteface before the host on the Lower Security interface can create a connection to the host on the Higher Security level interface
2. nat (inside) 0 0.0.0.0 0.0.0.0 This bypasses NAT, but requires the host on the Higher Security interface to first initiate a connection to the host on the Lower Security interface before the host on the Lower Security interface can initiate a connection.
hope it answers !
10-19-2008 05:18 AM
Hello Andy,
"Why do I have to create a NAT exempt between interfaces"
The main reason is, the firewall architecture is kept different than a router. The extra security provided by NAT (hiding real source) is set as a default in Cisco firewalls. This is usually the first thing that R&S pros say "What is going on?" when they configure a firewall for the first time. If you believe that this NAT obligation does not add values to your Security, you can simply disable it with "no nat-control" command. Or use exempt nat as abinjola explained
Regards
10-19-2008 10:57 PM
It depends on the setting of nat-control on your firewall. By default there is no nat-control in version 7.x and above. Which means as long as your ACLs are correct, the traffic will flow through (NO need for the old NAT exemption crap). However if you want extra security you can enable 'nat-control'. This will give the old 6.x functionality, i.e.:
highsec>>lowsec Dynamic NAT required, ACL not required.
lowsec>>highsec Static NAT and ACL required.
Else you need to Exempt/Bypass NAT.
You can check the current mode by entering:
show run nat-control
Regards
Farrukh
10-20-2008 07:05 AM
Hi,
My ASA is on 8.0(3). I always need to use NAT exempts for example, inside to DMZ (webservers).
My output
# sh run nat-control
nat-control
10-20-2008 07:30 AM
If you dont want to use NAT exempts, simply issue "no nat-control" , a "clear xlate" command may be necessary after issuing no nat-control
10-20-2008 07:53 AM
What is xlate?
Could this free up memory issues too? I'm currently using 65% (512mb)?
Thanks
10-20-2008 07:59 AM
means current NAT translations. I made a suggestion about memory usage in your other topic.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: