understanding asa vpn nat-exemption

baselzind · ‎10-18-2020

let us say we have two site with ipsec site to site vpn

site 1

public ip

172.80.1.1/24

internal ip

10.1.1.1/24

site 2

public ip

172.80.2.1/24

internal ip

10.1.2.1/24

i know normally we use public ip to set up the S2S vpn between two sites , traffic from site 1 would be natted into 172.80.1.1/24 then would be received by site 2 and natted back into 10.1.2.1/24 , but the QUESTION what happens if i check mark "nat exempt"?

Rob Ingram · ‎10-18-2020

Hi @baselzind

Without NAT exemption, when Site A communicates to Site B, traffic from 10.1.1.1 is natted behind 172.80.1.1. By configuring NAT exemption, you ensure the traffic is not natted and sent over the tunnel using the original IP address (10.1.1.1). This configuration must be mirrored on Site B, otherwise it's return traffic could be natted behind it's public IP address.

baselzind · ‎10-19-2020

thx alot for your info , but what is the point of nat exemption?

Rob Ingram · ‎10-19-2020

The point is to ensure that the VPN traffic is not unintentially natted. Normally you'd want to communicate over the VPN using the real/original IP address, so NAT exemption ensures this.

baselzind · ‎10-19-2020

trying to understand this clearer so with nat-exempt the packets will arrive to the other site with source address 10.1.1.1/24 BUT without nat-exempt the packets will arrive to the other site as 172.80.1.1/24?

Aref Alsouqi · ‎10-20-2020

The private IP ranges defined in RFC1918 are not allowed to be routed to the internet, this is why we need to NAT the traffic before leaving our edge devices and hit our ISP networks before it will be routed to the internet. If you don't apply NAT to the traffic destined to the internet, the ISP will deny it.

This is different with VPN traffic. With VPN traffic most likely we would not need to apply any NAT on the traffic passing through the tunnel. The reason of this is because we most likely want to allow connectivity between two or more subnets through their original private IP addresses, this is where we need NAT exemption. NAT exemption is also called identity NAT, which technically speaking translates the source and the destination to themselves, so the source and the destination will maintain their original IP addresses.

Although in some specific cases we have to apply NAT for VPN traffic, but that would still be a translation from a private IP to another private IP. An example of this would be if we have two identical subnets for the VPN tunnel.

dakshinaeswar1 · ‎02-10-2022

Hi Aref, good explanation. We are facing a similar problem. We have a site to site tunnel between both ASA over public ISP. The point we see is after reaching the FW interface it is getting blocked at ISP side. My suspect is ISP could be blocking because they don't allow private IP ? And yes we do NAT exempt as it is VPN bases traffic .

Aref Alsouqi · ‎02-11-2022

Thanks! This is interesting because the ISP wouldn't be able to see your VPN traffic as it would be encrypted. However, if the traffic sent between the two sites is not passing through the VPN tunnel, then yes the ISP would see it and block it as it would be flowing across with the private IP addresses which would never be allowed over the public internet. I would try to check the VPN settings on both firewalls and make sure that the interested traffic is included in the encryption domains ACL (assuming it is a policy based VPN). If you are using a route based VPN I would check that the right routing is in place through the right tunnel interface.

Rob Ingram · ‎10-19-2020

That is correct, on the basis that you already have NAT configured (for internet access) to nat all outbound traffic behind the outside interface. If you don't already have NAT configured, then you won't need NAT exemption.