ASA: 8.3 "Nat Exemption" Example - Basic L2L VPN and Basic RA VPN

Document

Fri, 04/03/2015 - 08:08
Jun 15th, 2010
User Badges:
  • Cisco Employee,

Reference document for "Nat Exemption" (aka "nonat" or "nat 0" in earlier releases) for basic L2L or basic RA setup.


L2L Example


Topology:

192.168.1.x/24 inside(ASA1)outside ===VPN===outside(ASA2)inside 192.168.2.0/24


If you were configuring ASA1 nat exemption for this L2L tunnel, it would look like this:


object network obj-local

     subnet 192.168.1.0 255.255.255.0


object network obj-remote

     subnet 192.168.2.0 255.255.255.0


nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote




RA Example


Topology:

192.168.3.0/24 (vpnclient pool) ===VPN===outside(ASA1)inside 192.168.1.0/24


If your were configuring ASA1 nat exemption for this RA tunnel, it would look like this:


object network obj-vpnpool

     subnet 192.168.3.0 255.255.255.0


nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool


*Note: Due to bug CSCtf89372, I use the "1" in the command above to put  the nat exemption statement at the top of all my nat statements.


Using Management-access Inside


In all the above cases, when you convert the nat 0 command in pre 8.3 code to post 8.3 code, you'll probably notice that you're converting it from being a nat exemption to static identity nat. Just like in pre 8.3 code, post 8.3 static nats also don't do a route lookup for an ingress packet. Instead they forcibly place the packet on the egress interface defined in the static command. If you use the packet tracer you'll see something like this:



Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network obj_RDP

nat (inside,outside) static interface service tcp 3389 3389

Additional Information:

NAT divert to egress interface inside

Untranslate 64.102.156.87/3389 to 192.168.1.5/3389


Notice how it says "NAT divert", well what that means is the ASA just skipped a route-lookeup for the address you're trying to reach and used the NAT statement to decide how to route that packet. Sometimes this can be a good thing and can be used for various hacks( refer Loadbalancing DUAL ISP on ASA), unfrotunately, if you're using the VPN to manage your firewall, then you don't want packets destined to the ASA itself to be "NAT diverted" out some interface. You want those packets to be process by the ASA itself, so in these situations you want to configure the nat command as:

nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool route-lookeup


This command makes the ASA do the route-lookup instead of blindly routing the packets.

Loading.
gglynn Thu, 07/08/2010 - 10:00
User Badges:

Argh. What software engineer working on ASA 8.3 decided that this was the best way to do this? How is a configuration directive to NAT an object back to its original IP address in any way more intuitive than a configuration directive to simply not NAT traffic clearly defined by an access list? It's ugly and confusing, so two thumbs down on this design decision.

hdashnau Wed, 07/14/2010 - 10:38
User Badges:
  • Cisco Employee,

In case its not clear to others upon glancing at this comment, I just want to point out that this comment seems to be directed at the design changes in general for nat in 8.3 as a whole rather than an assault against this particular documents explanation.

holzerb Tue, 07/20/2010 - 09:08
User Badges:

You are right, the explanation is fine... it's the design changes for NAT in 8.3 that are so bad I'm at a loss for words.

Praveena Shanubhogue Wed, 07/28/2010 - 21:57
User Badges:
  • Bronze, 100 points or more

Just a correction here regarding the syntax ("source" keyword after "destination" is not required):

nat (inside,outside) 1 source static obj-local obj-local destination source static obj-remote obj-remote

hdashnau Thu, 07/29/2010 - 05:24
User Badges:
  • Cisco Employee,

Thanks for spotting the typo, I have corrected this.

jkirby Wed, 08/18/2010 - 07:24
User Badges:

As a 16 year firewall veteran in his 13th year of full time PIX/ASA support I can say without equivocation that this NAT change is about the most boneheaded move I've ever seen Cisco make.  If they're trying to kill ASA sales, it's a good step in the right direction.  One of our more cynical engineers says it's just a ploy to generate more training dollars. 


You can be sure that we are not sending 10 experienced ASA engineers to training just to learn the new NAT.  But we will spend the morning reverting to 8.2.

golly_wog Fri, 09/03/2010 - 13:36
User Badges:

Kirby you old git, your stuck in your old ways. ;-) (BTW, this is a joke mate - there can't be many people who have honestly worked on F/Ws for 16 years, I take my hat off to you).


Have a play - it's not too bad, I'm sure in a while you will like it more than the old way.


I'm sure that the new ASA card for the 65ks will only have this type of code, so get to know it if you want to make it to 20 years in the game. :-)

jkirby Fri, 09/03/2010 - 13:44
User Badges:

You certainly got the old and gitty part right.  =)


Ya, I was surprised myself when I counted the # of years back to 1996.  Certainly don't want to do firewalls for 20 more years, but if the pay is right I guess...


Anyway, I've come to terms with the new syntax.  Turns out my biggest gripe was due to a bug that should get exorcised in the next point release, according to TAC anyway.  (apparently someone put "&&" in a an if..then instead of "||").  Still not real keen on trying to get my tech staff to remember two ways of doing it since it's hard enough to get them to do it the old way right anyway.  Maybe there's an opportunity in there for me or something.


Although the jury's still out on whether or not I like the change, I still stand by my opinion that such a change should have come in 9.0, not snuck into 8.3.  Oh well.

golly_wog Sat, 09/04/2010 - 03:57
User Badges:

That's the spirit mate :-) I quite like some new changes brought into configs, it gets the old brain going and really seperates the men from the boys. Although it's a lot more code, I am sure if will have it's benifits as it seems more granular.


I agree with the numbering, it should have occuered in 9, but I'm sure that marketing was involved somewhere..


I'm so into the new nat that I've developed a little ditty that I sing to myself when performing configuration. If you want to join in, it's sung to RUN D.M.C King of Rock...


I'm the king of NAT, there is none higher

ASA 8.3 is what I desire
TAC Security show boys should call me sire
I won't stop NAT'in till I retire


Nat "King" Golly


:-)

Dave Lewis Tue, 01/25/2011 - 03:04
User Badges:

Brilliant, love the song. You should record a video of yourself singing it and see if Cisco will post it!

vickyleach1 Tue, 09/07/2010 - 09:06
User Badges:

I have gotta say this was a huge headache when I first saw it and tried to work on it (4 hours trying to do a site-to-site configuration that should have taken me 20 minutes!) but I actually like it better than the earlyer versions of IOS. It almost looks like an object orientated version of coding with the object groups and such. So in theory you only have to change the objects rather than the code binded to the objects in the access lists etc. I say stick to it and soon you will see that is is just as easy and just as logical as the earlyer versions. (Just a pain in the ass during the learning process) Oh and @Kirby, dont send your employees for training, its annoying to learn but there are tons of resources out there which I am sure you have seen most of so I say the training would be unnessasary

hdashnau Tue, 09/07/2010 - 09:18
User Badges:
  • Cisco Employee,

Thanks for all the feedback. I wanted to point out that this document was just made for a quick reference. I recommend also checking out this video presentation of the 8.3 NAT features which methodically explains this new feature (it may even work for some of your training purposes).


Please refer to "ASA Version 8.3 NAT Configuration By: Jay Johnston"

https://supportforums.cisco.com/videos/1078

hdashnau Tue, 02/01/2011 - 11:25
User Badges:
  • Cisco Employee,

You should post this as a question in the forum rather than as feedback on this document.

Florin Barhala Wed, 06/11/2014 - 02:43
User Badges:
  • Bronze, 100 points or more

Thanks for the article!

It helped me to SNMP over site-to-site on the inside interface after some struggle!

Actions

This Document

Related Content