Cisco Identity NAT vs NAT Exemption

Cisco Identity NAT vs NAT Exemption

According to the Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance book, “The main difference between identity NAT and NAT exemption is that with identity NAT, the traffic must be sourced from the address specified with the nat 0 statement, whereas with NAT exemption, traffic can be initiated by the hosts on either side of the security appliance. NAT exemption is a preferred method to bypass traffic when it is flowing over a VPN tunnel.”

So, what does this mean really?

Identity NAT
You would use Identity NAT when you want to traffic from your inside interface to flow through to your outside interface without changing the address. An example scenario would be a private MPLS cloud with separate clients. Each client has a unique address space so NATing is not necessary. Using Identity NAT is the solution because it provides us with the privacy of only allowing inside hosts to initiate communication with outside hosts.

Configuration
Identity NAT is simple to configure. All you have to do is use the NAT ID of 0 in your NAT statements.

1 nat (inside) 0 10.10.0.0 255.255.0.0

This statement bypasses NAT for traffic matching the IP addresses of 10.10.0.0/16 from the inside interface.

1 nat (inside) 0 0.0.0.0 0.0.0.0

This statement bypasses NAT for all traffic from the inside interface.

1 nat (inside) 0 10.10.1.0 255.255.255.0
2 nat (inside) 0 192.168.2.0 255.255.255.0
3 nat (inside) 0 172.16.30.0 255.255.255.0

This statement bypasses NAT for the 10.10.1.0/24, 192.168.2.0/24 and 172.16.30.0/24 networks. You can have multiple nat 0 statements.

NAT Exemption
NAT Exemption is most commonly used for VPN traffic. With NAT Exemption, traffic specified in the access-list will be able to initiate new connections with your protected hosts. For this reason, you shouldn’t use NAT Exemption in place of identity NAT. You would put your hosts at risk.

Configuration
NAT Exemption utilizes ACLs to match traffic. Much like Identity NAT, the configuration process is fairly straight forward.

1 access-list NONAT permit ip 10.130.10.0 255.255.255.0 10.130.254.0 255.255.255.0
2 nat (inside) 0 access-list NONAT

These statements create a NAT Exemption policy on the inside interface for traffic between 10.130.10.0/24 and 10.130.254.0/24. This means that hosts on either network can initiate connections. Using Identity NAT, only the hosts on the inside would be able to create connections. Be cautious with NAT Exemption because you could accidentally open a security hole with the wrong statements.

2 Responses so far.

Leave a Reply

Your email address will not be published. Required fields are marked *

three × 1 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.