Cisco ASA NAT Exemption (post version 8.3)

posted 13 Jul 2015, 08:52 by Tristan Self
The changes to the ASA IOS post version 8.3 changes the way that NAT works. NAT Exemption is normally used to disable translation for certain addresses e.g. for VPN tunnelling.

So for this example below you create an access-list containing the IP addresses that are to be exempted from NAT. So say these are the site to site VPN addresses where 192.168.0.0/24 is the A end, and 172.31.0.0 255.255.255.0 is the B end.

 
# access-list NAT_EXEMPT extended permit ip 192.168.0.0 255.255.255.0 172.31.0.0 255.255.255.0
# nat (inside) 0 access-list NAT_EXEMPT

This basically says traffic going through the firewall from 192.168.0.0/24 to 172.31.0.0/24 through the firewall should not be NATTed.
Comments