Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Why do I have to create a NAT exempte between interfaces on ASA

Hi,

Why do I have to create a NAT exempt between interfaces when I want traffic to pass from one interface like the inside to save another interface?

8 REPLIES
New Member

Re: Why do I have to create a NAT exempte between interfaces on

Hi, I wud know something here, are both interfaces using different Network Subnets? If it's right then you have only three option to make the communication between them that is 1) by exemption the traffic between network which is configured on different Interfaces on FW 2) Using PAT and 3)last one is using Natting.

Cisco Employee

Re: Why do I have to create a NAT exempte between interfaces on

Nat Exempt is used when you dont wish to hide/nat your source address from the other end , this scenario is generally used when you want to pass traffic between two private interfaces where even private addresses are routable and you wish to preserve the source header as it is, now there are two types of nat (inside) 0

Nat 0 has two affects

1. nat (inside) 0 access-list 101 This works exaclty the same way as static, except bypasses NAT. It does not require the connection to be initiated from the Higher Security Inteface before the host on the Lower Security interface can create a connection to the host on the Higher Security level interface

2. nat (inside) 0 0.0.0.0 0.0.0.0 This bypasses NAT, but requires the host on the Higher Security interface to first initiate a connection to the host on the Lower Security interface before the host on the Lower Security interface can initiate a connection.

hope it answers !

Re: Why do I have to create a NAT exempte between interfaces on

Hello Andy,

"Why do I have to create a NAT exempt between interfaces"

The main reason is, the firewall architecture is kept different than a router. The extra security provided by NAT (hiding real source) is set as a default in Cisco firewalls. This is usually the first thing that R&S pros say "What is going on?" when they configure a firewall for the first time. If you believe that this NAT obligation does not add values to your Security, you can simply disable it with "no nat-control" command. Or use exempt nat as abinjola explained

Regards

Re: Why do I have to create a NAT exempte between interfaces on

It depends on the setting of nat-control on your firewall. By default there is no nat-control in version 7.x and above. Which means as long as your ACLs are correct, the traffic will flow through (NO need for the old NAT exemption crap). However if you want extra security you can enable 'nat-control'. This will give the old 6.x functionality, i.e.:

highsec>>lowsec Dynamic NAT required, ACL not required.

lowsec>>highsec Static NAT and ACL required.

Else you need to Exempt/Bypass NAT.

You can check the current mode by entering:

show run nat-control

Regards

Farrukh

New Member

Re: Why do I have to create a NAT exempte between interfaces on

Hi,

My ASA is on 8.0(3). I always need to use NAT exempts for example, inside to DMZ (webservers).

My output

# sh run nat-control

nat-control

Re: Why do I have to create a NAT exempte between interfaces on

If you dont want to use NAT exempts, simply issue "no nat-control" , a "clear xlate" command may be necessary after issuing no nat-control

New Member

Re: Why do I have to create a NAT exempte between interfaces on

What is xlate?

Could this free up memory issues too? I'm currently using 65% (512mb)?

Thanks

Re: Why do I have to create a NAT exempte between interfaces on

means current NAT translations. I made a suggestion about memory usage in your other topic.

162
Views
0
Helpful
8
Replies
CreatePlease login to create content