Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

No NAT - To exclude Interesting Traffic...Please clarify!

Hi all,

I hope someone can clarify something for me.

I've never understood why you exclude your interesting traffic from the NAT process. If you're protecting your traffic (assumed to be NON-ROUTABLE RFC 1918 addresses), then when the traffic exists the egress interface, how is it able to reach the intended destination if the layer 3 header isn't rewritten with a publicly routable source address? It would have to be sourced off the public IP of the PIX/Router acting as the tunnel termination peer to be routed through the Internet, so I would like to know how we can exclude it? If it's not NAT'd then the source would exit as 192.168.1.x which would never make it to the remote peer.

Simple Configuration PIX to PIX VPN:

PIX 1: Inside segment (to be encrypted)

PIX 2: Inside segment (to be encrypted)

ACL to define Interesting Traffic:

access−list 101 permit ip

* This command tells the PIX not to NAT any traffic deemed as interesting for IPsec.

nat (inside) 0 access−list 101

With the statement above, how would the existing traffic ever make it to the intended destination if it's not being sourced with a routable address?

Any help is appreciated!


Re: No NAT - To exclude Interesting Traffic...Please clarify!

You use no-NAT when traffic is going between internal interfaces (e.g. inside<->DMZ), or over a VPN, or if you have public IPs on the inside (as at many educational establishments).

You are talking about a L2L VPN. This is an encrypted point-point tunnel between the public IP addresses of PIX1 & PIX2. So the LAN-LAN traffic is encapsulated in an IPsec packet, and the source and destination addreses on that packet are PIX1 & PIX2. No one on the internet can see the original packet with its private IPs.

Clear as mud?

Community Member

Re: No NAT - To exclude Interesting Traffic...Please clarify!

Sorry, I should've is return traffic supposed to get back to the respective host if it's sourced using its non-routable address (i.e.

I guess it's implied that the traffic will exit with the routable source address of the PIX. So in essence, the original layer 3 header still contains the inside source - so it's essentially being NAT'd in a non-NAT'd way...just new header is added with source address of the PIX for return traffic and to maintain confidentiality of inside block. =D

Clear as a bell now. Thanks.

CreatePlease to create content