need help with how to best setup no-nat with VPNs

mjsully · ‎02-19-2009

If I am configuring an ASA to pass IPSEC vpn traffic, and I don't want to NAT anything traversing from the inside out, nor am I NATng anything coming in, should I be using NAT exemption vs Identity NAT?

nat (inside) 0 0.0.0.0 0.0.0.0

or

access-list no-nat permit ip any any

nat (inside) 0 access-list no-nat

The ASA is used exclusively as a vpn endpoint. I am using sysopt connection permit-ipsec so I have no outside ACL. Which NAT method is the best solution?

eddie.mitchell · ‎02-19-2009

I personally use no-NAT ACL's for my IPSec tunnels.

sdoremus33 · ‎02-19-2009

One important detail to remember between Identity Nat, and NAT Exemption is the following

With Identity NAT

EX: nat (inside) 0 192.168.6.0 255.255.255.0

This initiated an outbound connection only

With NAT Exemption nat 0 access-list you have the following

EX:

NAT (inside)0 access-list exemptxtrffc

access-list exemptxtrffc permit ip 192.168.6.0 255.255.255.0 198.100.10.0 255.255.255.0 where 198.100.10.0 would be the destination ip subnet

You initiate an inbound and outbound connection

Also NAT Exemption is always processed first in the NAT order of operations

sdoremus33 · ‎02-19-2009

!

mjsully · ‎02-20-2009

ok, let's say I go with this:

access-list no-nat permit ip any any

nat (inside) 0 access-list no-nat

this will NOT translate all traffic traversing firewall, correct?

what if I have a need later to exclude a subnet from the no-nat acl? will this get processed?

access-list no-nat deny ip 172.16.100.0 255.255.255.0 any

access-list no-nat permit ip any any

will that work?

andrew.prince · ‎02-20-2009

yes it would work - but it's not the ideal solution.

mjsully · ‎02-20-2009

what would be your ideal solution?

andrew.prince · ‎02-20-2009

That is a loaded question - but the solution depends on the requirements.

If you have no need to NAT - then don't. If you do have a need to NAT all traffic - but exluded some, then do that.

But to not NAT all traffic - then nat some traffic just makes it complicated and troubleshooting gets harder.

In my opionion.

so either use the comman nat-control or no nat-control.

HTH>

mjsully · ‎02-20-2009

I don't have a current need to NAT, however, I wanted to leave open the possibility of having to do it in the future and was looking to see the best way to setup the no-nat for now, with the least re-configuring should NAT become a requirement. I'm using 8.x on the ASA, so it sounds like you are saying as long as I don't enable NAT-control, I don't need to put any no-nat statements on it?

andrew.prince · ‎02-20-2009

Correct - using the command "no nat-control" means allow traffic through the firewall without address translation!

mjsully · ‎02-20-2009

thanks for your help.

andrew.prince · ‎02-20-2009

np - glad to help.