Solved: NAT EXEMPTION ON L2L site 2site VPN is mandatory or not for 9.6 code

vasanth77 · ‎02-23-2019

Hi security experts,

Im new to real exposure for security implementation.

Do we need to NAT exempt for site 2 site vpn traffic between asa firewall with new implementation on iOS 9.6 version of asa code.

In site 2 site communication which addresses will be communicating to remote network , the real private addresses or firewall address?

Thanks in advance,

Rob Ingram · ‎02-23-2019

Correct, if FW and VPN, NAT exemption is required.
Correct, if VPN concentrator only (and nat is not configured for internet access) then nat is not required.

Ultimately you need NAT exemption if there is another NAT rule in place (usually for outbound internet traffic) that could unintentionally NAT your traffic over the L2L VPN.

View solution in original post

Rob Ingram · ‎02-24-2019

Hi,
You might as well connect the ASA directly to the internet, using a public IP address on the outside interface.

HTH

View solution in original post

Rob Ingram · ‎02-23-2019

Hi,
General you would normally confguration a no-nat/nat exemption rule even on v9.6, so the sites would communicate with each other using their real IP addresses.

HTH

vasanth77 · ‎02-23-2019

Is No-NAT and NAT EXEMPTION ARE same I guess?
Actually I had a interview question that if a new 2 ASA boxes given to you for site 2 site VPN, for that NAT exemption is mandatory or we can do without NAT exemption?
I replied I do nat exemption, nit sure what is the correct answer?

Rob Ingram · ‎02-23-2019

Yes, same thing really.

If the ASA was configured on the internet edge (providing FW and VPN services), normally outbound internet traffic would be natted outbound behind the outside interface, nat would be required for this to work. When a L2L VPN on the same ASA is configured without a NAT exemption rule in place, the traffic would more than likely match the outbound nat rule (the rule to nat for the internet traffic) and cause an issue when using the VPN. This scenario is when you would need a NAT exemption rule.

If the ASA was purely a VPN concentrator (terminating VPNs only and not providing internet access) normally nat would not be configured for the internet access, so therefore you would probably not require a dedicated NAT exemption rule.

Make sense?

HTH

vasanth77 · ‎02-23-2019

Thank you for explanation.
From your guidance I assume if a ASA is acting as a NAT device for internet access and also for L2L VPN we need to do NAT exempt for the VPN traffic between sites.

If we are doing VPN CONCENTRATOR or only terminating site 2 site tunnels between ASA (not sure it will face internet or inside network) , we don't need to do NAT exemption?

Please confirm my assumption.

Thanks again.

Rob Ingram · ‎02-23-2019

Correct, if FW and VPN, NAT exemption is required.
Correct, if VPN concentrator only (and nat is not configured for internet access) then nat is not required.

Ultimately you need NAT exemption if there is another NAT rule in place (usually for outbound internet traffic) that could unintentionally NAT your traffic over the L2L VPN.

vasanth77 · ‎02-23-2019

Thank you RJI for all the response as it explained me crystal clear.
We need a NAT exemption only the same device doing NAT for other traffic on outside interface. If a new box or only VPN traffic box we don't need NAT exemption.

One final question , if we using a ASA for only VPN purpose to connect different sites ,
Does it need to be placed behind any firewall or it can be placed openly on internet facing? What ip address( public or private) need to be assigned on the ASA interface terminating VPN tunnel on both sides.?

Rob Ingram · ‎02-24-2019

Hi,
You might as well connect the ASA directly to the internet, using a public IP address on the outside interface.

HTH

vasanth77 · ‎02-23-2019

Thank you for your quick response and you time.