Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23230
Views
0
Helpful
3
Replies

NAT exemption needed for VPN access in 8.4?

oldcreek12
Level 1
Level 1

‎04-29-2011 12:18 AM

Hi, all,

Assuming a typical senario that inside network and VPN pool are using RFC1918 address space, anybody can explain to me why NAT exemption configuration is needed for VPN access? 8.4 does not have NAT-control concept, so it is not a requirement that traffic flow between two different security level interfaces has to go through NAT, I actually have a working SSLVPN configuration that does not have any NAT related configuration, yet all tutorial I read regarding 8.4 NAT all mentioned that NAT exemption configuration (a.k.a "twice NAT" in 8.4 term) is needed for VPN access. Did I do something right I did not even know?

Labels:
0 Helpful
3 Replies 3

andamani
Cisco Employee
Cisco Employee

‎05-02-2011 07:06 AM

Hi,

The nat-control command on the PIX/ASA  specifies that all traffic through the firewall must have a specific  translation entry (nat statement with a matching global or  a static statement) for that traffic to pass through the  firewall. The nat-control command ensures that the translation  behavior is the same as PIX Firewall versions earlier than 7.0. The  default configuration of PIX/ASA version 7.0 and later is the  specification of the no nat-control command. With PIX/ASA version  7.0 and later, you can change this behavior when you issue the nat-control command.

Nat exemption is required to ensure that the data passes over the VPN tunnel. By nat exemption you are stating that the traffic is not be natted but passed over a secure VPN tunnel.

In 8.4 nat 0 does not exist. Hence you will do a self translation of the source and the destination. Also you will place the nat at the top of the NAT table.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

oldcreek12
Level 1
Level 1
In response to andamani

‎05-02-2011 10:19 AM

Hi, Anisha,

I do appreciate you taking time answering my questions, so do I need nat exemption (twice NAT is 8.4 term) EXPLICITLY configured on 8.4 in order for VPN access to work?

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to oldcreek12

‎05-03-2011 12:58 AM

Hi,

You need a nat exemption for VPN to work.

You can check the following doc:

https://supportforums.cisco.com/docs/DOC-11639

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts

0 Helpful
Customers Also Viewed These Support Documents