01-22-2020 04:40 AM - edited 02-21-2020 09:51 AM
I have a scenario where traffic from Site A to Site B takes place via NAT... now the requirement is to put this NATted traffic in a VPN Tunnel created in Cisco ASA/Firepower. When i try to create site to site vpn tunnels it gives an option to exempt from NAT.. considering the traffic is already going to be Manually NAT , do i even need to select this option ? what will be the traffic flow in this case .. will it be translated through Manual NAT first and then hit the tunnels ? I assume i have to give NAT subnet at the source and destination site in this case.
01-22-2020 05:12 AM
in ASA there are three NAT section.
section 1
section 2
section 3
normally site to site vpn tunnel are come under section 1 and they are called identity nat or nat exemption. you have to define a nat exemption for your site-to-site vpn.
an example is
nat (in,out) source static LOCAL-LAN LOCAL-LAN destin static REMOTE-LAN REMOTE-LAN no-proxy-arp route-lookup.
this above command will not going to nat your traffic but it will exempt it so you above rule will not match the nat traffic.
01-22-2020 05:22 AM
So in order to use Manual defined NAT .. i have to use NAT exempt while establishing VPN Tunnel ? also if i have a multi interface environment .. how do i nat exempt on all required interfaces .. ASDM Wizard allows 1 interface to be selected from dropdown
01-22-2020 06:04 AM
Yes correct. if you have a multiple interface environment in that case you have to distinguished where is your source network coming from which interface. for example you interested network is 192.168.1.20 so in asa you can do
show ip address | i 192.168.1
01-22-2020 06:37 AM
01-22-2020 06:25 AM - edited 01-22-2020 06:34 AM
Hi,
You don't have to use NAT exemption. When a VPN is established most people expect traffic from the original source IP address (real/private IP), without the NAT exemption rule in place the traffic would normally be natted behind the outbound interface, as defined in the dynamic nat rule typically used for all internet access.
If you are currently natting traffic between Site A and Site B and you still want to NAT, then you need to ensure the NAT IP address is defined as the source in your crypto ACL - reverse that configuration on the peer.
Most organisations NAT when establishing a VPN to a 3rd party. If you control both ends of the VPN, I'd normally recommend a NAT exemption rule.
HTH
01-22-2020 06:41 AM
01-22-2020 06:57 AM
01-22-2020 08:41 AM
01-22-2020 09:13 AM
It seems like you are overcomplicating things. Why not just NAT exempt all the traffic between your sites?
Example of NAT exemption.
SITEA CONFIG
object network SITEA
subnet 192.168.1.0 255.255.255.0
object network SITEB-2
subnet 192.168.2.0 255.255.255.0
object network SITEB-3
subnet 192.168.3.0 255.255.255.0
object-group network SITEB
network-object object SITEB-2
network-object object SITEB-3
nat (any,OUTSIDE) source static SITEA SITEA destination static SITEB SITEB
Just swap the NAT source and destinations for SITEB configuration.
If you don't want NAT exempt all traffic, just amend the object groups above, define traffic you don't want to be translated from the private IP address to 1.1.1.x on SITEA or 2.2.2.x on SITEB and apply the necessary nat rule. The traffic that isn't defined in the NAT exemption rule would match your existing NAT rule and translated from 192.168.x.x to 1.1.1.x
01-22-2020 09:51 AM
According to cisco best practice doing any is not recommended.
nat (any,outside) better to define a zone
nat (inside,outside)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide