need help with how to best setup no-nat with VPNs

Unanswered Question
Feb 19th, 2009

If I am configuring an ASA to pass IPSEC vpn traffic, and I don't want to NAT anything traversing from the inside out, nor am I NATng anything coming in, should I be using NAT exemption vs Identity NAT?

nat (inside) 0 0.0.0.0 0.0.0.0

or

access-list no-nat permit ip any any

nat (inside) 0 access-list no-nat

The ASA is used exclusively as a vpn endpoint. I am using sysopt connection permit-ipsec so I have no outside ACL. Which NAT method is the best solution?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sdoremus33 Thu, 02/19/2009 - 19:46

One important detail to remember between Identity Nat, and NAT Exemption is the following

With Identity NAT

EX: nat (inside) 0 192.168.6.0 255.255.255.0

This initiated an outbound connection only

With NAT Exemption nat 0 access-list you have the following

EX:

NAT (inside)0 access-list exemptxtrffc

access-list exemptxtrffc permit ip 192.168.6.0 255.255.255.0 198.100.10.0 255.255.255.0 where 198.100.10.0 would be the destination ip subnet

You initiate an inbound and outbound connection

Also NAT Exemption is always processed first in the NAT order of operations

mjsully Fri, 02/20/2009 - 06:21

ok, let's say I go with this:

access-list no-nat permit ip any any

nat (inside) 0 access-list no-nat

this will NOT translate all traffic traversing firewall, correct?

what if I have a need later to exclude a subnet from the no-nat acl? will this get processed?

access-list no-nat deny ip 172.16.100.0 255.255.255.0 any

access-list no-nat permit ip any any

will that work?

That is a loaded question - but the solution depends on the requirements.

If you have no need to NAT - then don't. If you do have a need to NAT all traffic - but exluded some, then do that.

But to not NAT all traffic - then nat some traffic just makes it complicated and troubleshooting gets harder.

In my opionion.

so either use the comman nat-control or no nat-control.

HTH>

mjsully Fri, 02/20/2009 - 08:43

I don't have a current need to NAT, however, I wanted to leave open the possibility of having to do it in the future and was looking to see the best way to setup the no-nat for now, with the least re-configuring should NAT become a requirement. I'm using 8.x on the ASA, so it sounds like you are saying as long as I don't enable NAT-control, I don't need to put any no-nat statements on it?

Actions

This Discussion