Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

need help with how to best setup no-nat with VPNs

If I am configuring an ASA to pass IPSEC vpn traffic, and I don't want to NAT anything traversing from the inside out, nor am I NATng anything coming in, should I be using NAT exemption vs Identity NAT?

nat (inside) 0 0.0.0.0 0.0.0.0

or

access-list no-nat permit ip any any

nat (inside) 0 access-list no-nat

The ASA is used exclusively as a vpn endpoint. I am using sysopt connection permit-ipsec so I have no outside ACL. Which NAT method is the best solution?

11 REPLIES

Re: need help with how to best setup no-nat with VPNs

I personally use no-NAT ACL's for my IPSec tunnels.

New Member

Re: need help with how to best setup no-nat with VPNs

One important detail to remember between Identity Nat, and NAT Exemption is the following

With Identity NAT

EX: nat (inside) 0 192.168.6.0 255.255.255.0

This initiated an outbound connection only

With NAT Exemption nat 0 access-list you have the following

EX:

NAT (inside)0 access-list exemptxtrffc

access-list exemptxtrffc permit ip 192.168.6.0 255.255.255.0 198.100.10.0 255.255.255.0 where 198.100.10.0 would be the destination ip subnet

You initiate an inbound and outbound connection

Also NAT Exemption is always processed first in the NAT order of operations

New Member

Re: need help with how to best setup no-nat with VPNs

!

New Member

Re: need help with how to best setup no-nat with VPNs

ok, let's say I go with this:

access-list no-nat permit ip any any

nat (inside) 0 access-list no-nat

this will NOT translate all traffic traversing firewall, correct?

what if I have a need later to exclude a subnet from the no-nat acl? will this get processed?

access-list no-nat deny ip 172.16.100.0 255.255.255.0 any

access-list no-nat permit ip any any

will that work?

Re: need help with how to best setup no-nat with VPNs

yes it would work - but it's not the ideal solution.

New Member

Re: need help with how to best setup no-nat with VPNs

what would be your ideal solution?

Re: need help with how to best setup no-nat with VPNs

That is a loaded question - but the solution depends on the requirements.

If you have no need to NAT - then don't. If you do have a need to NAT all traffic - but exluded some, then do that.

But to not NAT all traffic - then nat some traffic just makes it complicated and troubleshooting gets harder.

In my opionion.

so either use the comman nat-control or no nat-control.

HTH>

New Member

Re: need help with how to best setup no-nat with VPNs

I don't have a current need to NAT, however, I wanted to leave open the possibility of having to do it in the future and was looking to see the best way to setup the no-nat for now, with the least re-configuring should NAT become a requirement. I'm using 8.x on the ASA, so it sounds like you are saying as long as I don't enable NAT-control, I don't need to put any no-nat statements on it?

Re: need help with how to best setup no-nat with VPNs

Correct - using the command "no nat-control" means allow traffic through the firewall without address translation!

New Member

Re: need help with how to best setup no-nat with VPNs

thanks for your help.

Re: need help with how to best setup no-nat with VPNs

np - glad to help.

139
Views
0
Helpful
11
Replies