«

»

Aug 26

Identity NAT vs NAT exempt on Cisco ASA

Categories:

Cisco ASA/FWSM, Firewall

by admin

Identity NAT and NAT exempt are commonly considered the same kind of ‘no natting’ configuration when in practice both methods are configured slightly different as well as firewall’s internal processing.

Identity NAT configuration

nat (inside) 0 10.1.1.3

NAT Exempt configuration

access-list NO_NAT extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
nat(inside) 0 access-list NO_NAT


Identity NAT:
– works only one way (in dirrection specified)
– appear in xlate table

NAT exempt:
– works bidirrectional
– does not appear in xlate table



Note:Identity NAT is not going to work for L2L VPN as work one way only and that’s why we always should use NAT Exempt (with the access list) to allow bidirectional communication.

Follow me!

This post has no tag

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>