Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2865
  • Last Modified:

Cisco ASA: NAT exemptions required for VPNs?

I have two Cisco ASA's, that were originally built by different people.  On asa1, when I build a new VPN (site to site or remote access), I need to go to Firewall | NAT Rules, and add a "NAT Exempt rule".  The source is my networks, destination is the remote networks, and action is "NAT Exempt outbound traffic ..."

However, on asa2, there are no NAT rules, and VPNs can be built (and work) without adding NAT Exempt rules.

Both have identical interface layouts, with the internal interface having a 100 security level, and the public 0.  

My question is, what do the NAT exempt rules do, and why are they required on one ASA and not the other?  Thanks!
0
shanepresley
Asked:
shanepresley
  • 3
  • 2
1 Solution
 
tvman_odCommented:
The answer is in the processing sequience.
Cisco will apply IPSEC before NAT. So you need to instruct NAT not to touch packets for VPN

Full explanations are here:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml 
0
 
shanepresleyAuthor Commented:
Thanks tvman_od,

But could you help me understand why the NAT exemptions are required on one asa, but not the other?  Is there some global config option to bypass the need for NAT exemptions?  on asa2 there are no NAT rules defined, but all VPNs created work perfectly.  On asa1, I need to manually define NAT exemptions to get the same VPNs to work.
0
 
tvman_odCommented:
If you would post both configs I would be able to come up with better explanations. There is a chance that on asa2 you don't have "Split" tunneling and don't have active NAT at all. So all packets are being forwarded into the tunnel and remote peer is visible ising static not-default route. Or something else.
Just remove public and private IPs and put some bogus figures. remove keys and passwords as well.
0
 
shanepresleyAuthor Commented:
Unfortunately I am not able to post the configs (against our policy).  But thanks for the assistance!
0
 
tvman_odCommented:
You are welcome
If you really need to find out the answer and cannot post configs, you can send me a message over email. You can find address in my profile.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now