- Cisco Employee,
Reference document for "Nat Exemption" (aka "nonat" or "nat 0" in earlier releases) for basic L2L or basic RA setup.
192.168.1.x/24 inside(ASA1)outside ===VPN===outside(ASA2)inside 192.168.2.0/24
If you were configuring ASA1 nat exemption for this L2L tunnel, it would look like this:
object network obj-local
subnet 192.168.1.0 255.255.255.0
object network obj-remote
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote
192.168.3.0/24 (vpnclient pool) ===VPN===outside(ASA1)inside 192.168.1.0/24
If your were configuring ASA1 nat exemption for this RA tunnel, it would look like this:
object network obj-vpnpool
subnet 192.168.3.0 255.255.255.0
nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool
*Note: Due to bug CSCtf89372, I use the "1" in the command above to put the nat exemption statement at the top of all my nat statements.
Using Management-access Inside
In all the above cases, when you convert the nat 0 command in pre 8.3 code to post 8.3 code, you'll probably notice that you're converting it from being a nat exemption to static identity nat. Just like in pre 8.3 code, post 8.3 static nats also don't do a route lookup for an ingress packet. Instead they forcibly place the packet on the egress interface defined in the static command. If you use the packet tracer you'll see something like this:
object network obj_RDP
nat (inside,outside) static interface service tcp 3389 3389
NAT divert to egress interface inside
Untranslate 22.214.171.124/3389 to 192.168.1.5/3389
Notice how it says "NAT divert", well what that means is the ASA just skipped a route-lookeup for the address you're trying to reach and used the NAT statement to decide how to route that packet. Sometimes this can be a good thing and can be used for various hacks( refer Loadbalancing DUAL ISP on ASA), unfrotunately, if you're using the VPN to manage your firewall, then you don't want packets destined to the ASA itself to be "NAT diverted" out some interface. You want those packets to be process by the ASA itself, so in these situations you want to configure the nat command as:
nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool route-lookeup
This command makes the ASA do the route-lookup instead of blindly routing the packets.