Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1398
Views
18
Helpful
10
Replies

Going with NAT Exemption!!!!

Ibrahim Jamil
Level 6
Level 6

‎01-26-2011 11:28 AM - edited ‎03-11-2019 12:40 PM

Hi Folks

Kindly Have a look to the Attached Diagram

The Matter is our 3 sites are connected through MPLS Cloud so that in Site 3 I Dont prefere  to go translation to reach the other 2 sites ,and way back...so am thinking to go with NAT Exemption tied with access list to go untraslated to to reach other sites while the others site access resources on the inside network after that i ll be establiched IPSec Tunnel over the mpls cloud to reach others as well in secure fashion

Expert pls advise

Rgds

Ibrahim

Labels:
Preview file
110 KB
0 Helpful
10 Replies 10

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-26-2011 01:00 PM

Hi,

On the ASA to configure NAT Exemption you would normally do the following:

access-list nonat permit ip 2.2.2.0 255.255.255.0 x.x.x.x 255.255.255.0

access-list nonat permit ip 4.4.4.0 255.255.255.0 x.x.x.x 255.255.255.0

access-list nonat permit ip 5.5.5..0 255.255.255.0 x.x.x.x 255.255.255.0

nat (inside) 0 access-list nonat

In this way when traffic flows between 2.2.2.0/24, 4.4.4.0/24, 5.5.5.0/24 and the remote x.x.x.x/24 traffic will not be NATed.

NAT 0 with ACL takes precedence over any other type of NAT rule.


Federico.

Ibrahim Jamil
Level 6
Level 6
In response to Federico Coto Fajardo

‎01-27-2011 07:59 AM

Hi

does tunel still working later on when i tuning it ?

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Ibrahim Jamil

‎01-27-2011 09:42 AM

What you're saying with the NAT 0 rules is that the traffic through the tunnel should not be NATed.

This will not affect the establishment of the tunnel itself (as it only affects traffic going inside the tunnel).

Now, for the tunnel to be able to pass traffic properly, both sides should agree that the expected traffic is coming from the real addresses (not the translated ones).

Federico.

0 Helpful

Ibrahim Jamil
Level 6
Level 6
In response to Federico Coto Fajardo

‎01-29-2011 07:03 AM

Mate,do u think that with NAT Exemption we run out of security coz we r visible to to providor or the tunel solve the sec issue?

thanks

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Ibrahim Jamil

‎01-29-2011 03:34 PM

Some people consider NAT as a security mechanism because it ''hides'' the real IP.

I personally like true security mechanisms.

If you tunnel all communication encrypted with IPsec, there no security flaws using NAT 0.

Federico.

Deepak Khemani
Level 1
Level 1

‎01-29-2011 10:51 PM

Hi

I dont get the design you are using here. If you are using MPLS cloud then why do you need NAT and stuff...

I suppose you would be having your own vrf with the provider. Now you can use routing protocol like BGP or OSPF between CE's. That way you dont need to confgure NAT or something.

And if you want to have encryption for your data you use VPN over MPLS. If there is any security policy you want to apply you can confgure your ASA to firewall taffic base on site's private IP Addresses.

Hope I am not letting you in wrong direction.

Cheers

Deepak Khemani

Ibrahim Jamil
Level 6
Level 6
In response to Deepak Khemani

‎01-30-2011 01:38 AM

Hi Deepack

We have asa 5510,and 2800 acts as CE router,we rely on static route to reach all sites

bty our CE Router 2800 its managed by the ISP,so we cant run routing protocol

Thanks

0 Helpful

Ibrahim Jamil
Level 6
Level 6
In response to Ibrahim Jamil

‎01-30-2011 08:06 AM

Hi Mates

Can the Below works for my firewall using NAT Exemption to avoid translation to reach other 3 sites back anf forth over MPLS Cloud

interface GigabitEthernet0/0
nameif outside
security-level 0
description to ISP Mpls
ip address 11.11.11.1 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 12.12.12.12 255.255.255.252

access-list extended all permit ip 0.0.0.0 0.0.0.0 any

nat (inside ) 0 access-list all

route (outside) 0.0.0.0 0.0.0.0 11.11.11.2
route (inside) 0.0.0.0 0.0.0.0 12.12.12.1

thanks folks

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to Ibrahim Jamil

‎01-30-2011 08:11 AM

Ibrahim,

That would actually nonat all the traffic passing across the ASA. If you want to nonat traffic to specific sites, on the destination side of the ACL you would need to put the destination network. For example, you need to nonat the traffic from the inside going to the network 4.2.2.0 255.255.255.0, being the inside network 10.10.10.0 255.255.255.0:

access-list nonat permit ip 10.10.10.0 255.255.255.0 4.2.2.0 255.255.255.0

nat (inside) 0 access-list nonat

If you have any problems, let me know.

Mike

Mike

Ibrahim Jamil
Level 6
Level 6
In response to Maykol Rojas

‎01-30-2011 08:52 AM

Hi

  • IN THIS SITUATION, NO NEED FOR PAT CONFIGURATION?

  • do i need to configure the nat exeption on other 3 sites also toward my subnet in order to let they  ping my resources,or just in my small sites

thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card