Aug 26

Identity NAT vs NAT exempt on Cisco ASA

Identity NAT and NAT exempt are commonly considered the same kind of ‘no natting’ configuration when in practice both methods are configured slightly different as well as firewall’s internal processing.

Identity NAT configuration

nat (inside) 0

NAT Exempt configuration

access-list NO_NAT extended permit ip
nat(inside) 0 access-list NO_NAT

Identity NAT:
– works only one way (in dirrection specified)
– appear in xlate table

NAT exempt:
– works bidirrectional
– does not appear in xlate table

Note:Identity NAT is not going to work for L2L VPN as work one way only and that’s why we always should use NAT Exempt (with the access list) to allow bidirectional communication.

Follow me!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>