Assuming a typical senario that inside network and VPN pool are using RFC1918 address space, anybody can explain to me why NAT exemption configuration is needed for VPN access? 8.4 does not have NAT-control concept, so it is not a requirement that traffic flow between two different security level interfaces has to go through NAT, I actually have a working SSLVPN configuration that does not have any NAT related configuration, yet all tutorial I read regarding 8.4 NAT all mentioned that NAT exemption configuration (a.k.a "twice NAT" in 8.4 term) is needed for VPN access. Did I do something right I did not even know?
The nat-control command on the PIX/ASA specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global or a static statement) for that traffic to pass through the firewall. The nat-control command ensures that the translation behavior is the same as PIX Firewall versions earlier than 7.0. The default configuration of PIX/ASA version 7.0 and later is the specification of the no nat-control command. With PIX/ASA version 7.0 and later, you can change this behavior when you issue the nat-control command.
Nat exemption is required to ensure that the data passes over the VPN tunnel. By nat exemption you are stating that the traffic is not be natted but passed over a secure VPN tunnel.
In 8.4 nat 0 does not exist. Hence you will do a self translation of the source and the destination. Also you will place the nat at the top of the NAT table.
Hope this helps.
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
I do appreciate you taking time answering my questions, so do I need nat exemption (twice NAT is 8.4 term) EXPLICITLY configured on 8.4 in order for VPN access to work?
You need a nat exemption for VPN to work.
You can check the following doc:
Hope this helps.
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts