need help with how to best setup no-nat with VPNs

Unanswered Question
Feb 19th, 2009
User Badges:

If I am configuring an ASA to pass IPSEC vpn traffic, and I don't want to NAT anything traversing from the inside out, nor am I NATng anything coming in, should I be using NAT exemption vs Identity NAT?

nat (inside) 0


access-list no-nat permit ip any any

nat (inside) 0 access-list no-nat

The ASA is used exclusively as a vpn endpoint. I am using sysopt connection permit-ipsec so I have no outside ACL. Which NAT method is the best solution?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sdoremus33 Thu, 02/19/2009 - 19:46
User Badges:
  • Bronze, 100 points or more

One important detail to remember between Identity Nat, and NAT Exemption is the following

With Identity NAT

EX: nat (inside) 0

This initiated an outbound connection only

With NAT Exemption nat 0 access-list you have the following


NAT (inside)0 access-list exemptxtrffc

access-list exemptxtrffc permit ip where would be the destination ip subnet

You initiate an inbound and outbound connection

Also NAT Exemption is always processed first in the NAT order of operations

mjsully Fri, 02/20/2009 - 06:21
User Badges:

ok, let's say I go with this:

access-list no-nat permit ip any any

nat (inside) 0 access-list no-nat

this will NOT translate all traffic traversing firewall, correct?

what if I have a need later to exclude a subnet from the no-nat acl? will this get processed?

access-list no-nat deny ip any

access-list no-nat permit ip any any

will that work?

That is a loaded question - but the solution depends on the requirements.

If you have no need to NAT - then don't. If you do have a need to NAT all traffic - but exluded some, then do that.

But to not NAT all traffic - then nat some traffic just makes it complicated and troubleshooting gets harder.

In my opionion.

so either use the comman nat-control or no nat-control.


mjsully Fri, 02/20/2009 - 08:43
User Badges:

I don't have a current need to NAT, however, I wanted to leave open the possibility of having to do it in the future and was looking to see the best way to setup the no-nat for now, with the least re-configuring should NAT become a requirement. I'm using 8.x on the ASA, so it sounds like you are saying as long as I don't enable NAT-control, I don't need to put any no-nat statements on it?


This Discussion