topic Re: NAT exempt to Internat Interfaces in Network Security

NAT exempt to Internat Interfaces

jkeddington_2 — Mon, 11 Mar 2019 12:16:46 GMT

I am looking for the most efficient way to configure NAT exempt statements for a multiple interface ASA. I know I will need to write ACL's but do I write based on source and destination networks? Or source network to Any? Any suggestions would be greatly appreicated.

Re: NAT exempt to Internat Interfaces

ray_stone — Thu, 13 Mar 2008 05:16:36 GMT

It depends on your network requirements. If you want to exempt the source network to destination network(any) then you can use (example:- internal to any) if you want only source network could access a particular network then exempt destination network instead of any. As per the cisco, the higher zone network can access the lower security zone by default and if you want to give the access to lower zone network to highher zone network then you need access list. Create rule step by step would be in proper way. Thanks

Re: NAT exempt to Internat Interfaces

alanajjar — Thu, 13 Mar 2008 10:50:00 GMT

Hi,

If you use NAT exemption, and you put from source network to any, your internal network will be able to access internet only through VPN connection. this will put heavy load on the ASA.

regards

Re: NAT exempt to Internat Interfaces

jkeddington_2 — Fri, 14 Mar 2008 04:59:58 GMT

That is really good to know, I was going to see what would happen with nat0 to any but no need too now.