Cisco
--
Questions
--
Followers
Top Experts
ASA 5505 9.1.3 Site to Site VPN Connection Profile Nat Exempt
Hi all,
On a Cisco ASA 5505 running 9.1.3. Under one of my connection profiles for a site to site VPN there is an option for Exempt ASA side host/network from address translation (Inside interface). That option is checked.
In the NAT rules there are several Section 1 and/or Manual NAT rules basically allowing the inside interface of the ASA to talk to different subnets on opposite side of the VPN in question. If I do a sh NAT DETAIL Command I can see the rules as follows:
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static inside inside destination static OR_VOIP OR_VOIP
translate_hits = 45, untranslate_hits = 54
Source - Origin: 192.168.108.0/24, Translated: 192.168.108.0/24
Destination - Origin: 172.16.0.0/22, Translated: 172.16.0.0/22
2 (inside) to (outside) source static inside inside destination static OR_Dot4 OR_Dot4
translate_hits = 18, untranslate_hits = 18
Source - Origin: 192.168.108.0/24, Translated: 192.168.108.0/24
Destination - Origin: 192.168.4.0/24, Translated: 192.168.4.0/24
3 (inside) to (outside) source static inside inside destination static TT_LAN TT_LAN
translate_hits = 87, untranslate_hits = 87
Source - Origin: 192.168.108.0/24, Translated: 192.168.108.0/24
Destination - Origin: 192.168.121.0/24, Translated: 192.168.121.0/24
4 (inside) to (outside) source static inside inside destination static OR_Dot0 OR_Dot0
translate_hits = 90, untranslate_hits = 91
Source - Origin: 192.168.108.0/24, Translated: 192.168.108.0/24
Destination - Origin: 192.168.0.0/24, Translated: 192.168.0.0/24
Being that the "Exempt ASA side host/network from address translation" box is checked under the VPN connection profile do I still need these NAT rules?
Having a hard time finding out exactly what that check box does. Thanks.
On a Cisco ASA 5505 running 9.1.3. Under one of my connection profiles for a site to site VPN there is an option for Exempt ASA side host/network from address translation (Inside interface). That option is checked.
In the NAT rules there are several Section 1 and/or Manual NAT rules basically allowing the inside interface of the ASA to talk to different subnets on opposite side of the VPN in question. If I do a sh NAT DETAIL Command I can see the rules as follows:
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static inside inside destination static OR_VOIP OR_VOIP
translate_hits = 45, untranslate_hits = 54
Source - Origin: 192.168.108.0/24, Translated: 192.168.108.0/24
Destination - Origin: 172.16.0.0/22, Translated: 172.16.0.0/22
2 (inside) to (outside) source static inside inside destination static OR_Dot4 OR_Dot4
translate_hits = 18, untranslate_hits = 18
Source - Origin: 192.168.108.0/24, Translated: 192.168.108.0/24
Destination - Origin: 192.168.4.0/24, Translated: 192.168.4.0/24
3 (inside) to (outside) source static inside inside destination static TT_LAN TT_LAN
translate_hits = 87, untranslate_hits = 87
Source - Origin: 192.168.108.0/24, Translated: 192.168.108.0/24
Destination - Origin: 192.168.121.0/24, Translated: 192.168.121.0/24
4 (inside) to (outside) source static inside inside destination static OR_Dot0 OR_Dot0
translate_hits = 90, untranslate_hits = 91
Source - Origin: 192.168.108.0/24, Translated: 192.168.108.0/24
Destination - Origin: 192.168.0.0/24, Translated: 192.168.0.0/24
Being that the "Exempt ASA side host/network from address translation" box is checked under the VPN connection profile do I still need these NAT rules?
Having a hard time finding out exactly what that check box does. Thanks.
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
add no-proxy-arp route-lookup to the end of your site to site tunnel NAT statements on both sides.
MO
MO
Thank you for the answer, but it really doesn't answer my question. What does "Exempt ASA side host/network from address translation" box do?
Why do I need to add the no proxy-arp route-lookup to my Nat rules?
Why do I need to add the no proxy-arp route-lookup to my Nat rules?
It turns off NAT which is what you'd typically do in a traditional site to site VPN tunnel. Both sites would have that exemption set. You don't typically want the private networks on either side of the tunnel to translate to the global/public IP of the ASA.
turning off proxy-arp will allow the LAN sides of your tunnel to communicate with the LAN side interface of the opposing ASA.
To answer to your question, the NAT rules created are the result of turning on the exemption.
MO
turning off proxy-arp will allow the LAN sides of your tunnel to communicate with the LAN side interface of the opposing ASA.
To answer to your question, the NAT rules created are the result of turning on the exemption.
MO
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
So I think I am following you. If I add the no proxy-arp to my NAT statements should the above translations shown with the 'Show NAT Detail' go away? The way I read it now traffic is being translated, it is just not being translated to a public IP. Checking NAT exemption with no proxy arp should allow traffic to flow freely across the VPN tunnel with routing being handled by the ASA or a router/switch on the other end. Am I understanding correctly?
Actually, the NAT detail you have above is showing that the traffic is not being translated. In the old ASA/PIX days we called this "no NAT". You're essentially telling the ASA to not translate the traffic. Source and destination traffic retain the untranslated version of their subnets. In a standard/traditional configuration this is the right way to do it. Assuming that everything else in your configuration regarding the Site to Site tunnels is correct there is no need to modify your NAT configuration. The "no-proxy-arp" option simply turns proxy arp off so that the LAN side interfaces of your ASA's can communicate to the opposing side of the tunnel.
MO
MO
I get it. One final question and I believe we are done : - ). When I set up a site to site VPN tunnel via the wizard it automatically creates a NAT rule for me. This NAT rule has the 'Disable Proxy ARP on egress interface' box checked as well as the 'Lookup route to locate egress interface' box checked. This works fine and the sh nat detail shows the same results as above.
However if I uncheck those two boxes and change the direction to both on the said NAT rule I get the following warning.
This configuration also works fine and the Show NAT detail is the same.
So the final question is which configuration is better and is the warning something I really need to worry about.
However if I uncheck those two boxes and change the direction to both on the said NAT rule I get the following warning.
This configuration also works fine and the Show NAT detail is the same.
So the final question is which configuration is better and is the warning something I really need to worry about.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Very good. Thank you much. I get it now.
Cisco
--
Questions
--
Followers
Top Experts
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).