(Optional) Configure NAT Exemption

NAT exemption exempts addresses from translation and allows both translated and remote hosts to initiate connections with your protected hosts. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption enables you to specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT). Use static identity NAT to consider ports in the access list.

When you configure static identity NAT for remote access or site-to-site VPN, you must configure NAT with the route lookup option. Without route lookup, the threat defense sends traffic out of the interface specified in the NAT command, regardless of what the routing table says. For example, you do not want the threat defense to send the DHCP scope traffic through an incorrect interface; it will never return to the interface IP address. The route lookup option lets the threat defense send, or intercept, the traffic directly on the interface IP address instead of through the interface. For traffic from the VPN client to a host on the inside network, the route lookup option will still result in the correct egress interface (inside), so normal traffic flow is not affected.

Before you begin

Check if NAT is configured on the targeted devices where remote access VPN policy is deployed. If NAT is enabled on the targeted devices, you must define a NAT policy to exempt VPN traffic.

Procedure


Step 1

On your Secure Firewall Management Center web interface, click Devices > NAT.

Step 2

Select a NAT policy to update or click New Policy > Threat Defense NAT to create a NAT policy with a NAT rule to allow connections through all interfaces.

Step 3

Click Add Rule to add a NAT rule.

Step 4

On the Add NAT Rule window, select the following:

  1. Select the NAT Rule as Manual NAT Rule.

  2. Select the Type as Static.

  3. Click Interface Objects and select the Source and destination interface objects.

Note

This interface object must be the same as the interface selected in the remote access VPN policy.

For more information, see Configure Access Interfaces for Remote Access VPN.
  1. Click Translation and select the source and destination networks:

    • Original Source and Translated Source

    • Original Destination and Translated Destination

Step 5

On the Advanced tab, select Do not proxy ARP on Destination Interface.

Do not proxy ARP on Destination Interface—Disables proxy ARP for incoming packets to the mapped IP addresses. If you use addresses on the same network as the mapped interface, the system uses proxy ARP to answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped address. This solution simplifies routing because the device does not have to be the gateway for any additional networks. You can disable proxy ARP if desired, in which case you need to be sure to have proper routes on the upstream router.

Step 6

Click OK.