?
Solved

Cisco ASA: NAT exemptions required for VPNs?

Posted on 2009-05-14
5
Medium Priority
?
2,663 Views
Last Modified: 2012-05-07
I have two Cisco ASA's, that were originally built by different people.  On asa1, when I build a new VPN (site to site or remote access), I need to go to Firewall | NAT Rules, and add a "NAT Exempt rule".  The source is my networks, destination is the remote networks, and action is "NAT Exempt outbound traffic ..."

However, on asa2, there are no NAT rules, and VPNs can be built (and work) without adding NAT Exempt rules.

Both have identical interface layouts, with the internal interface having a 100 security level, and the public 0.  

My question is, what do the NAT exempt rules do, and why are they required on one ASA and not the other?  Thanks!
0
Comment
Question by:shanepresley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 11

Accepted Solution

by:
tvman_od earned 2000 total points
ID: 24385679
The answer is in the processing sequience.
Cisco will apply IPSEC before NAT. So you need to instruct NAT not to touch packets for VPN

Full explanations are here:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml 
0
 
LVL 1

Author Comment

by:shanepresley
ID: 24394867
Thanks tvman_od,

But could you help me understand why the NAT exemptions are required on one asa, but not the other?  Is there some global config option to bypass the need for NAT exemptions?  on asa2 there are no NAT rules defined, but all VPNs created work perfectly.  On asa1, I need to manually define NAT exemptions to get the same VPNs to work.
0
 
LVL 11

Expert Comment

by:tvman_od
ID: 24438057
If you would post both configs I would be able to come up with better explanations. There is a chance that on asa2 you don't have "Split" tunneling and don't have active NAT at all. So all packets are being forwarded into the tunnel and remote peer is visible ising static not-default route. Or something else.
Just remove public and private IPs and put some bogus figures. remove keys and passwords as well.
0
 
LVL 1

Author Comment

by:shanepresley
ID: 24485007
Unfortunately I am not able to post the configs (against our policy).  But thanks for the assistance!
0
 
LVL 11

Expert Comment

by:tvman_od
ID: 24488924
You are welcome
If you really need to find out the answer and cannot post configs, you can send me a message over email. You can find address in my profile.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question