04-29-2011 12:18 AM
Hi, all,
Assuming a typical senario that inside network and VPN pool are using RFC1918 address space, anybody can explain to me why NAT exemption configuration is needed for VPN access? 8.4 does not have NAT-control concept, so it is not a requirement that traffic flow between two different security level interfaces has to go through NAT, I actually have a working SSLVPN configuration that does not have any NAT related configuration, yet all tutorial I read regarding 8.4 NAT all mentioned that NAT exemption configuration (a.k.a "twice NAT" in 8.4 term) is needed for VPN access. Did I do something right I did not even know?
05-02-2011 07:06 AM
Hi,
The nat-control command on the PIX/ASA specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global or a static statement) for that traffic to pass through the firewall. The nat-control command ensures that the translation behavior is the same as PIX Firewall versions earlier than 7.0. The default configuration of PIX/ASA version 7.0 and later is the specification of the no nat-control command. With PIX/ASA version 7.0 and later, you can change this behavior when you issue the nat-control command.
Nat exemption is required to ensure that the data passes over the VPN tunnel. By nat exemption you are stating that the traffic is not be natted but passed over a secure VPN tunnel.
In 8.4 nat 0 does not exist. Hence you will do a self translation of the source and the destination. Also you will place the nat at the top of the NAT table.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
05-02-2011 10:19 AM
Hi, Anisha,
I do appreciate you taking time answering my questions, so do I need nat exemption (twice NAT is 8.4 term) EXPLICITLY configured on 8.4 in order for VPN access to work?
05-03-2011 12:58 AM
Hi,
You need a nat exemption for VPN to work.
You can check the following doc:
https://supportforums.cisco.com/docs/DOC-11639
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide