Home > CCNP Security, Cisco ASA 8.2 > The difference between Identity NAT and NAT Exemption

The difference between Identity NAT and NAT Exemption

According to the Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance book, “The main difference between identity NAT and NAT exemption is that with identity NAT, the traffic must be sourced from the address specified with the nat 0 statement, whereas with NAT exemption, traffic can be initiated by the hosts on either side of the security appliance. NAT exemption is a preferred method to bypass traffic when it is flowing over a VPN tunnel.”

So, what does this mean really?

Identity NAT
You would use Identity NAT when you want to traffic from your inside interface to flow through to your outside interface without changing the address. An example scenario would be a private MPLS cloud with separate clients. Each client has a unique address space so NATing is not necessary. Using Identity NAT is the solution because it provides us with the privacy of only allowing inside hosts to initiate communication with outside hosts.

Configuration
Identity NAT is simple to configure. All you have to do is use the NAT ID of 0 in your NAT statements.

nat (inside) 0 10.10.0.0 255.255.0.0

This statement bypasses NAT for traffic matching the IP addresses of 10.10.0.0/16 from the inside interface.

nat (inside) 0 0.0.0.0 0.0.0.0

This statement bypasses NAT for all traffic from the inside interface.

nat (inside) 0 10.10.1.0 255.255.255.0
nat (inside) 0 192.168.2.0 255.255.255.0
nat (inside) 0 172.16.30.0 255.255.255.0

This statement bypasses NAT for the 10.10.1.0/24, 192.168.2.0/24 and 172.16.30.0/24 networks. You can have multiple nat 0 statements.

NAT Exemption
NAT Exemption is most commonly used for VPN traffic. With NAT Exemption, traffic specified in the access-list will be able to initiate new connections with your protected hosts. For this reason, you shouldn’t use NAT Exemption in place of identity NAT. You would put your hosts at risk.

Configuration
NAT Exemption utilizes ACLs to match traffic. Much like Identity NAT, the configuration process is fairly straight forward.

access-list NONAT permit ip 10.130.10.0 255.255.255.0 10.130.254.0 255.255.255.0
nat (inside) 0 access-list NONAT

These statements create a NAT Exemption policy on the inside interface for traffic between 10.130.10.0/24 and 10.130.254.0/24. This means that hosts on either network can initiate connections. Using Identity NAT, only the hosts on the inside would be able to create connections. Be cautious with NAT Exemption because you could accidentally open a security hole with the wrong statements.

About these ads
  1. January 11, 2013 at 11:21 pm

    Good Article. Simple and precise. Thank you.

  2. February 6, 2013 at 11:27 pm

    “The difference between Identity NAT and NAT Exemption
    Cisco Talk” was indeed a very good post and also I actually ended up being really
    glad to locate the article. Thanks a lot,Shauna

  3. krishna
    March 13, 2013 at 12:14 pm

    good document and simple explanation and easy to understand for beginners.

    Thank you,
    Krishna

  4. Nilesh
    June 20, 2013 at 8:54 am

    Thanks a lot, Good explanation in simple language.

  5. ram
    July 2, 2013 at 1:47 pm

    Very good explanation, thank u so much

  6. Shishir
    October 2, 2013 at 4:16 pm

    Nicely explained. Simple, concise. Thanks!

  7. Sunanda Kundu
    December 17, 2013 at 11:08 am

    Good one…Learnt new concept….Thanks for the post

  8. February 9, 2014 at 7:58 am

    I’ve got a Cisco ASA NAT configuration document here:

    http://www.certvideos.com/command-reference/cisco-asa-nat-configuration/

    Hope that helps !

  1. April 5, 2013 at 10:24 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 312 other followers

%d bloggers like this: