Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
128918
Views
20
Helpful
19
Comments

ASA: 8.3 "Nat Exemption" Example - Basic L2L VPN and Basic RA VPN

hdashnau
Cisco Employee
Cisco Employee

on ‎06-15-2010 06:48 AM

Reference document for "Nat Exemption" (aka "nonat" or "nat 0" in earlier releases) for basic L2L or basic RA setup.


L2L Example

Topology:

192.168.1.x/24 inside(ASA1)outside ===VPN===outside(ASA2)inside 192.168.2.0/24

If you were configuring ASA1 nat exemption for this L2L tunnel, it would look like this:

object network obj-local

     subnet 192.168.1.0 255.255.255.0

object network obj-remote

     subnet 192.168.2.0 255.255.255.0

nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote

RA Example

Topology:

192.168.3.0/24 (vpnclient pool) ===VPN===outside(ASA1)inside 192.168.1.0/24

If your were configuring ASA1 nat exemption for this RA tunnel, it would look like this:

object network obj-vpnpool

     subnet 192.168.3.0 255.255.255.0

nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool

*Note: Due to bug CSCtf89372, I use the "1" in the command above to put  the nat exemption statement at the top of all my nat statements.

Using Management-access Inside

In all the above cases, when you convert the nat 0 command in pre 8.3 code to post 8.3 code, you'll probably notice that you're converting it from being a nat exemption to static identity nat. Just like in pre 8.3 code, post 8.3 static nats also don't do a route lookup for an ingress packet. Instead they forcibly place the packet on the egress interface defined in the static command. If you use the packet tracer you'll see something like this:

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network obj_RDP

nat (inside,outside) static interface service tcp 3389 3389

Additional Information:

NAT divert to egress interface inside

Untranslate 64.102.156.87/3389 to 192.168.1.5/3389

Notice how it says "NAT divert", well what that means is the ASA just skipped a route-lookeup for the address you're trying to reach and used the NAT statement to decide how to route that packet. Sometimes this can be a good thing and can be used for various hacks( refer Loadbalancing DUAL ISP on ASA), unfrotunately, if you're using the VPN to manage your firewall, then you don't want packets destined to the ASA itself to be "NAT diverted" out some interface. You want those packets to be process by the ASA itself, so in these situations you want to configure the nat command as:

nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool route-lookeup

This command makes the ASA do the route-lookup instead of blindly routing the packets.

Labels:
Comments
jhiggins
Level 1
Level 1
‎09-03-2013 02:43 PM

my nat(0) access list of 425 lines has cjhanged into over 2000 lines of new and different nat code.  It is just wonderful.

Florin Barhala
Level 6
Level 6
‎06-11-2014 02:43 AM

Thanks for the article!

It helped me to SNMP over site-to-site on the inside interface after some struggle!

Michael Simpson
Community Member
‎04-03-2015 08:08 AM

.

DistanBudi21553
Level 1
Level 1
‎03-11-2021 10:14 AM

https://amfarnass.000webhostapp.com/af.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents