topic Re: Going with NAT Exemption!!!! in Network Security

Going with NAT Exemption!!!!

Ibrahim Jamil — Mon, 11 Mar 2019 19:40:22 GMT

Hi Folks

Kindly Have a look to the Attached Diagram

The Matter is our 3 sites are connected through MPLS Cloud so that in Site 3 I Dont prefere to go translation to reach the other 2 sites ,and way back...so am thinking to go with NAT Exemption tied with access list to go untraslated to to reach other sites while the others site access resources on the inside network after that i ll be establiched IPSec Tunnel over the mpls cloud to reach others as well in secure fashion

Expert pls advise

Rgds

Ibrahim

Re: Going with NAT Exemption!!!!

Federico Coto Fajardo — Wed, 26 Jan 2011 21:00:40 GMT

Hi,

On the ASA to configure NAT Exemption you would normally do the following:

access-list nonat permit ip 2.2.2.0 255.255.255.0 x.x.x.x 255.255.255.0

access-list nonat permit ip 4.4.4.0 255.255.255.0 x.x.x.x 255.255.255.0

access-list nonat permit ip 5.5.5..0 255.255.255.0 x.x.x.x 255.255.255.0

nat (inside) 0 access-list nonat

In this way when traffic flows between 2.2.2.0/24, 4.4.4.0/24, 5.5.5.0/24 and the remote x.x.x.x/24 traffic will not be NATed.

NAT 0 with ACL takes precedence over any other type of NAT rule.

Federico.

Re: Going with NAT Exemption!!!!

Ibrahim Jamil — Thu, 27 Jan 2011 15:59:53 GMT

does tunel still working later on when i tuning it ?

Re: Going with NAT Exemption!!!!

Federico Coto Fajardo — Thu, 27 Jan 2011 17:42:48 GMT

What you're saying with the NAT 0 rules is that the traffic through the tunnel should not be NATed.

This will not affect the establishment of the tunnel itself (as it only affects traffic going inside the tunnel).

Now, for the tunnel to be able to pass traffic properly, both sides should agree that the expected traffic is coming from the real addresses (not the translated ones).

Federico.

Re: Going with NAT Exemption!!!!

Ibrahim Jamil — Sat, 29 Jan 2011 15:03:55 GMT

Mate,do u think that with NAT Exemption we run out of security coz we r visible to to providor or the tunel solve the sec issue?

thanks

Re: Going with NAT Exemption!!!!

Federico Coto Fajardo — Sat, 29 Jan 2011 23:34:26 GMT

Some people consider NAT as a security mechanism because it ''hides'' the real IP.

I personally like true security mechanisms.

If you tunnel all communication encrypted with IPsec, there no security flaws using NAT 0.

Federico.

Re: Going with NAT Exemption!!!!

Deepak Khemani — Sun, 30 Jan 2011 06:51:54 GMT

I dont get the design you are using here. If you are using MPLS cloud then why do you need NAT and stuff...

I suppose you would be having your own vrf with the provider. Now you can use routing protocol like BGP or OSPF between CE's. That way you dont need to confgure NAT or something.

And if you want to have encryption for your data you use VPN over MPLS. If there is any security policy you want to apply you can confgure your ASA to firewall taffic base on site's private IP Addresses.

Hope I am not letting you in wrong direction.

Cheers

Deepak Khemani

Re: Going with NAT Exemption!!!!

Ibrahim Jamil — Sun, 30 Jan 2011 09:38:01 GMT

Hi Deepack

We have asa 5510,and 2800 acts as CE router,we rely on static route to reach all sites

bty our CE Router 2800 its managed by the ISP,so we cant run routing protocol

Thanks

Re: Going with NAT Exemption!!!!

Ibrahim Jamil — Sun, 30 Jan 2011 16:06:44 GMT

Hi Mates

Can the Below works for my firewall using NAT Exemption to avoid translation to reach other 3 sites back anf forth over MPLS Cloud

interface GigabitEthernet0/0
nameif outside
security-level 0
description to ISP Mpls
ip address 11.11.11.1 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 12.12.12.12 255.255.255.252

access-list extended all permit ip 0.0.0.0 0.0.0.0 any

nat (inside ) 0 access-list all

route (outside) 0.0.0.0 0.0.0.0 11.11.11.2
route (inside) 0.0.0.0 0.0.0.0 12.12.12.1

thanks folks

Re: Going with NAT Exemption!!!!

Maykol Rojas — Sun, 30 Jan 2011 16:11:35 GMT

Ibrahim,

That would actually nonat all the traffic passing across the ASA. If you want to nonat traffic to specific sites, on the destination side of the ACL you would need to put the destination network. For example, you need to nonat the traffic from the inside going to the network 4.2.2.0 255.255.255.0, being the inside network 10.10.10.0 255.255.255.0:

access-list nonat permit ip 10.10.10.0 255.255.255.0 4.2.2.0 255.255.255.0

nat (inside) 0 access-list nonat

If you have any problems, let me know.

Mike

Re: Going with NAT Exemption!!!!

Ibrahim Jamil — Sun, 30 Jan 2011 16:52:00 GMT

IN THIS SITUATION, NO NEED FOR PAT CONFIGURATION?

do i need to configure the nat exeption on other 3 sites also toward my subnet in order to let they ping my resources,or just in my small sites

thanks