Cisco ASA: NAT exemptions required for VPNs?
Posted on 2009-05-14
I have two Cisco ASA's, that were originally built by different people. On asa1, when I build a new VPN (site to site or remote access), I need to go to Firewall | NAT Rules, and add a "NAT Exempt rule". The source is my networks, destination is the remote networks, and action is "NAT Exempt outbound traffic ..."
However, on asa2, there are no NAT rules, and VPNs can be built (and work) without adding NAT Exempt rules.
Both have identical interface layouts, with the internal interface having a 100 security level, and the public 0.
My question is, what do the NAT exempt rules do, and why are they required on one ASA and not the other? Thanks!