Cisco ASA NAT Exemption

NAT exemption allows you to exclude traffic from being translated with NAT. One scenario where you usually need this is when you have a site-to-site VPN tunnel.

In this lesson, I’ll walk you through a scenario and explain what happens with and without NAT exemption.

Configuration

We’ll use the following topology:

Asa1 Asa2 Nat Exemption Topology

Let me explain what we have above:

  • S1 and S2 are servers on internal networks.
  • S3 is a server on the Internet.
  • ASA1 and ASA2 use NAT to translate traffic from S1 and S2 to the IP address on their GigabitEthernet 0/0 interfaces.
  • We use an IPSec IKEv2 VPN tunnel between ASA1 and ASA2 for traffic between S1 and S2.
  • HTTP server runs on S1, S2, and S3, so that we have something to connect to.

I use ASAv 9.9(2) for this example.

Configurations

Want to take a look for yourself? Here you will find the startup configuration of each device.

ASA1

hostname ASA1
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 10.10.10.1 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 192.168.1.254 255.255.255.0                 

ASA2

hostname ASA2
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 10.10.10.2 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 192.168.2.254 255.255.255.0                 

S1

hostname S1
!
no ip routing
!
no ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.1.101 255.255.255.0
!
ip default-gateway 192.168.1.254
!
ip http server
!
end

S2

hostname S2
!
no ip routing
!
no ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.2.102 255.255.255.0
!
ip default-gateway 192.168.2.254
!
ip http server
!
end

S3

hostname S3
!
ip cef
!
interface GigabitEthernet0/1
 ip address 10.10.10.3 255.255.255.0
!
ip http server
!
end

PAT

Let’s start with the PAT configuration, explained in detail in the Cisco ASA PAT configuration lesson.

We translate all traffic from the subnets where the hosts reside to the outside interface of the ASAs:

ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic interface 
ASA2(config)# object network INSIDE
ASA2(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA2(config-network-object)# nat (INSIDE,OUTSIDE) dynamic interface

This completes our PAT configuration.

IPSec Site-to-Site VPN

Let’s configure a VPN tunnel between ASA1 and ASA2, as explained in detail in the ASA site-to-site IKEv2 IPSec VPN lesson.

We configure an IKEv2 policy on both ASAs:

ASA1 & ASA2#
(config)# crypto ikev2 policy 10
ASA1(config-ikev2-policy)# encryption aes
ASA1(config-ikev2-policy)# group 2
ASA1(config-ikev2-policy)# prf sha
ASA1(config-ikev2-policy)# lifetime seconds 86400

And an IPSec proposal:

ASA1 & ASA2#
(config)# crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL 
(config-ipsec-proposal)# protocol esp encryption aes
(config-ipsec-proposal)# protocol esp integrity sha-1

We need an access-list to define the traffic we want to encrypt. In this example, we’ll encrypt all traffic between the 192.168.1.0/24 and 192.168.2.0/24 subnets:

ASA1(config)# access-list LAN1_LAN2 extended permit ip  192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ASA2(config)# access-list LAN2_LAN1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

We need a crypto map to set the remote peer IP address, to combine the access-list with the proposal, and activate it on the outside interface:

ASA1(config)# crypto map MY_CRYPTO_MAP 1 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 1 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE
ASA2(config)# crypto map MY_CRYPTO_MAP 1 match address LAN2_LAN1
ASA2(config)# crypto map MY_CRYPTO_MAP 1 set peer 10.10.10.1
ASA2(config)# crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
ASA2(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

We configure the tunnel-group to configure pre-shared keys:

ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l
ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes 
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key CISCO123 
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key CISCO456
ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l 
ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes 
ASA2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key CISCO456
ASA2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key CISCO123

Enable IKEv2 on the outside interface:

ASA1 & ASA2
(config)# crypto ikev2 enable OUTSIDE

And last but not least, make sure each ASA has a route to the subnet on the other side:

ASA1(config)# route OUTSIDE 192.168.2.0 255.255.255.0 10.10.10.2
ASA2(config)# route OUTSIDE 192.168.1.0 255.255.255.0 10.10.10.1

This completes our VPN configuration.

NAT Exemption

We now have a working configuration where we use PAT to translate traffic from our hosts and a site-to-site IPSec IKEv2 VPN tunnel.

Without NAT Exemption

Let’s see what happens without NAT exemption. Let’s try what happens when we connect from S1 to S3:

S1#telnet 10.10.10.3 80
Trying 10.10.10.3, 80 ... Open

We can connect. No issues there. Let’s check our PAT translation:

ASA1# show xlate
1 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net

TCP PAT from INSIDE:192.168.1.101/51796 to OUTSIDE:10.10.10.1/51796 flags ri idle 0:00:39 timeout 0:00:30

Above, we see that traffic from 192.168.1.101 is translated to 10.10.10.1. Let’s try something else. I’ll clear the NAT table first:

ASA1# clear xlate
INFO: 1 xlate deleted

Let’s see what happens when we try to connect from S1 to S2:

S1#telnet 192.168.2.102 80
Trying 192.168.2.102, 80 ... 
% Connection timed out; remote host not responding

This isn’t working. There are no IKEv2 security associations:

ASA1# show crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

What is going on? Assuming our VPN configuration is correct, something else must be going on. Let’s take a look at the NAT table:

ASA1# show xlate
1 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net

TCP PAT from INSIDE:192.168.1.101/63774 to OUTSIDE:10.10.10.1/63774 flags ri idle 0:00:03 timeout 0:00:30

The output above tells us something. Traffic from S1 is translated to 10.10.10.1.

The ASA’s order of operation is that it first translates a packet with NAT, then checks if the packet should be encrypted or not. This packet doesn’t match our LAN1_LAN2 access-list, so it won’t be encrypted.

ASA2 drops the packet because no access-list permits traffic from the outside to the inside.

With NAT Exemption

To fix this, we need to make an exception so that traffic between 192.168.1.101 and 192.168.2.102 won’t be translated with NAT. We can do this with NAT exemption.

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 710 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

465 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!