cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

22929
Views
0
Helpful
3
Replies
Highlighted
Beginner

NAT exemption needed for VPN access in 8.4?

Hi, all,

Assuming a typical senario that inside network and VPN pool are using RFC1918 address space, anybody can explain to me why NAT exemption configuration is needed for VPN access? 8.4 does not have NAT-control concept, so it is not a requirement that traffic flow between two different security level interfaces has to go through NAT, I actually have a working SSLVPN configuration that does not have any NAT related configuration, yet all tutorial I read regarding 8.4 NAT all mentioned that NAT exemption configuration (a.k.a "twice NAT" in 8.4 term) is needed for VPN access. Did I do something right I did not even know?

Everyone's tags (5)
3 REPLIES 3
Cisco Employee

Re: NAT exemption needed for VPN access in 8.4?

Hi,

The nat-control command on the PIX/ASA  specifies that all traffic through the firewall must have a specific  translation entry (nat statement with a matching global or  a static statement) for that traffic to pass through the  firewall. The nat-control command ensures that the translation  behavior is the same as PIX Firewall versions earlier than 7.0. The  default configuration of PIX/ASA version 7.0 and later is the  specification of the no nat-control command. With PIX/ASA version  7.0 and later, you can change this behavior when you issue the nat-control command.

Nat exemption is required to ensure that the data passes over the VPN tunnel. By nat exemption you are stating that the traffic is not be natted but passed over a secure VPN tunnel.

In 8.4 nat 0 does not exist. Hence you will do a self translation of the source and the destination. Also you will place the nat at the top of the NAT table.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Beginner

Re: NAT exemption needed for VPN access in 8.4?

Hi, Anisha,

I do appreciate you taking time answering my questions, so do I need nat exemption (twice NAT is 8.4 term) EXPLICITLY configured on 8.4 in order for VPN access to work?

Cisco Employee

Re: NAT exemption needed for VPN access in 8.4?

Hi,

You need a nat exemption for VPN to work.

You can check the following doc:

https://supportforums.cisco.com/docs/DOC-11639

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts