cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3629
Views
30
Helpful
9
Replies

ASA NAT statement "Original"?

CiscoBrownBelt
Level 6
Level 6

Within the GUI, if you choose under the Action:translated packet Source NAT Type "Static and both source address and destination address "Original" what is that really used for if you are just natting to same original IP?

3 Accepted Solutions

Accepted Solutions

Under translated packet, original means the source/destination ip/network is unchanged from the original packet.

HTH

View solution in original post

Typical use case is when you have a site-to-site VPN and you want to ensure communication using the original IP address. Without this nat exemption/no-nat rule typically the packet would hit a dynamic nat rule and be natted behind the interface of the ASA or a nat pool. So you'd define the nat exemption rule above the dynamic rule to ensure the traffic is not translated.

View solution in original post

Ok, if no existing other nat rules, then no you would not need a NO NAT rule to exempt this traffic, it would just be routed.

View solution in original post

9 Replies 9

Under translated packet, original means the source/destination ip/network is unchanged from the original packet.

HTH

What is the purpose of that at all if you are not really even natting and/or translating the IP?

Typical use case is when you have a site-to-site VPN and you want to ensure communication using the original IP address. Without this nat exemption/no-nat rule typically the packet would hit a dynamic nat rule and be natted behind the interface of the ASA or a nat pool. So you'd define the nat exemption rule above the dynamic rule to ensure the traffic is not translated.

There are no other NAT rules that would NAT this traffic, as why I am questioning if this NO NAT rule is even needed?

Ok, if no existing other nat rules, then no you would not need a NO NAT rule to exempt this traffic, it would just be routed.

Jaderson Pessoa
VIP Alumni
VIP Alumni
Well

While you are using packet translation "Original" option this identify that packet wont have change as source and/or destination.
Jaderson Pessoa
*** Rate All Helpful Responses ***

What is the purpose if you are not even translating the IP?

Because there are other options under it. if you do not choice "original" and select other options, other boxes will be available to choice. But in this case "original" is default behavior wether you wont need translate the packet.

more detail about: https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15243-19.html
Jaderson Pessoa
*** Rate All Helpful Responses ***

As already said by the Expert RJI it is mainly used in VPNs. I would suggest to visit below article for more details. It has various flavours of NAT explained. There may be other use cases as well when you want traffic should not be NATTed.

https://www.practicalnetworking.net/stand-alone/cisco-asa-nat/#asa-policy-nat

Look at :NAT Exemption on a Cisco ASA or Cisco ASA-X Firewall

HTH
### RATE ALL HELPFUL RESPONSES ###
Review Cisco Networking for a $25 gift card