02-19-2009 11:45 AM - edited 03-11-2019 07:53 AM
If I am configuring an ASA to pass IPSEC vpn traffic, and I don't want to NAT anything traversing from the inside out, nor am I NATng anything coming in, should I be using NAT exemption vs Identity NAT?
nat (inside) 0 0.0.0.0 0.0.0.0
or
access-list no-nat permit ip any any
nat (inside) 0 access-list no-nat
The ASA is used exclusively as a vpn endpoint. I am using sysopt connection permit-ipsec so I have no outside ACL. Which NAT method is the best solution?
02-19-2009 04:54 PM
I personally use no-NAT ACL's for my IPSec tunnels.
02-19-2009 07:46 PM
One important detail to remember between Identity Nat, and NAT Exemption is the following
With Identity NAT
EX: nat (inside) 0 192.168.6.0 255.255.255.0
This initiated an outbound connection only
With NAT Exemption nat 0 access-list you have the following
EX:
NAT (inside)0 access-list exemptxtrffc
access-list exemptxtrffc permit ip 192.168.6.0 255.255.255.0 198.100.10.0 255.255.255.0 where 198.100.10.0 would be the destination ip subnet
You initiate an inbound and outbound connection
Also NAT Exemption is always processed first in the NAT order of operations
02-19-2009 07:47 PM
!
02-20-2009 06:21 AM
ok, let's say I go with this:
access-list no-nat permit ip any any
nat (inside) 0 access-list no-nat
this will NOT translate all traffic traversing firewall, correct?
what if I have a need later to exclude a subnet from the no-nat acl? will this get processed?
access-list no-nat deny ip 172.16.100.0 255.255.255.0 any
access-list no-nat permit ip any any
will that work?
02-20-2009 06:39 AM
yes it would work - but it's not the ideal solution.
02-20-2009 06:49 AM
what would be your ideal solution?
02-20-2009 06:59 AM
That is a loaded question - but the solution depends on the requirements.
If you have no need to NAT - then don't. If you do have a need to NAT all traffic - but exluded some, then do that.
But to not NAT all traffic - then nat some traffic just makes it complicated and troubleshooting gets harder.
In my opionion.
so either use the comman nat-control or no nat-control.
HTH>
02-20-2009 08:43 AM
I don't have a current need to NAT, however, I wanted to leave open the possibility of having to do it in the future and was looking to see the best way to setup the no-nat for now, with the least re-configuring should NAT become a requirement. I'm using 8.x on the ASA, so it sounds like you are saying as long as I don't enable NAT-control, I don't need to put any no-nat statements on it?
02-20-2009 08:46 AM
Correct - using the command "no nat-control" means allow traffic through the firewall without address translation!
02-20-2009 08:49 AM
thanks for your help.
02-20-2009 08:50 AM
np - glad to help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: