Skip to main content

 

 

Cisco Defense Orchestrator

Exempt ASA Remote Access Traffic from NAT

Configure NAT Exempt to exempt traffic to and from the remote access VPN endpoints from NAT translation. If you do not exempt VPN traffic from NAT, ensure that the existing NAT rules for the outside and inside interfaces do not apply to the RA VPN pool of addresses. NAT exempt rules are manual static identity NAT rules for a given source/destination interface and network combination, but they are not reflected in the NAT policy, they are hidden. If you enable NAT Exempt, you must also configure the following.

  • Inside Interfaces: Select the interfaces for the internal networks remote users will be accessing. NAT rules are created for these interfaces.
  • Inside Networks: Select the network objects that represent internal networks remote users will be accessing. The networks list must contain the same IP types as the address pools you are supporting.

Prerequisite

Create ASA network objects that match the configuration of the local IP address pools used in the connection profile and group policy of that device. These network objects must be assigned as the destination address and translated address when configuring the NAT rule. See Create an ASA Network Object.

Procedure

  1. In the CDO navigation bar, click Devices & Services.
  2. Use the Devices & Services filter and search field to find the ASA device for which you want to create the NAT rule.
  3. In the Management area of the details panel, click NAT nat_button.png.
  4. Click blue_cross_button.png > Twice NAT.
    1. In section 1, select Static. Click Continue.
    2. In section 2, select Source Interface = 'any' and Destination Interface = 'any'. Click Continue.
    3. In section 3, select Source Original Address = 'any' and Source Translated Address = 'any'.
    4. Select Use Destination.
      1. Destination Original Address and Source Translated Address: Click Choose in the drop-down and select the network objects that match the configuration of the local IP address pools. 
        In the below example, 'IPV4_Object' is the network object with the same configuration as the IPv4 address pool object used in the connection profile and group policy settings of the ASA (BGL_ASA1_SH) device.
        NAT_Exempt_ASA_VPN.JPG
    5. Select Disable proxy ARP for incoming packets.
    6. Click Save.
    7. Repeat the process (from step 4) to create equivalent rules for each of the other network objects equivalent to IP address pools.
  5. Review and deploy configuration changes to the devices.

 

  • Was this article helpful?