Migrating ASA NAT Exemption Configuration

NAT exemptions are often required when a single ASA appliance is performing NAT and terminating VPN connections.  In ASA configurations prior to 8.3 and 8.4, NAT exemptions were configured with “nat 0 access-list <acl name>” and a related access-list.

nat (inside) 0 access-list nat_exemption
access-list nat_exemption extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

Configurations after 8.2 require the configuration of object groups and use the nat statements differently.  There are some minor differences in some of the options for NAT in versions 8.4(1) and releases carrying the version number 8.3. The above configuration, might look like the following when configured on an ASA running the 8.4(2) of the ASA Operating System.

object network obj-192.168.1.0
  subnet 192.168.1.0 255.255.255.0
object network obj-10.0.0.0
  subnet 10.0.0.0 255.255.255.0

nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.0.0.0 obj-10.0.0.0 no-proxy-arp

The items underlined are arbitrary names for the objects. These objects are brought together in the “nat” command. Since the same object name is used twice in the source, no source translation occurs.

The destination object groups perform a couple of functions.  The first object name listed in the destination is the destination IP address prior to the packet going through the ASA. The second destination address is the destionation IP address of the packet after it goes through the ASA. Like the source address object name, these are the same. Therefore, no destination translation will be performed. However, the scope of the static xlate will be limited to what is defined in obj-10.0.0.0.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To and tagged . Bookmark the permalink.

7 Responses to Migrating ASA NAT Exemption Configuration

  1. Great! Thank you very much.

  2. Imim says:

    Great article.

    Can you please make an article that will compare the IOS version 7.2 to 8.4

    Thank you.

    • Paul Stewart says:

      If you are asking in regards to NAT exemption, this article should cover it. ASA OS 8.2 and earlier are configured using the “nat (interface) 0” command. 8.3 and later uses object groups. If you are asking about some other feature or configuration, let me know what it is you are looking for. Thanks for the comment.

  3. user says:

    Thank you very much! I had a hard time with this when I upgraded my pix, and no one put it out there as clear as you did.

  4. joey says:

    What if the ACL policy used on NAT (0) contains a deny, how will it be converted in 8.3 or newer version?

    access-list no-nat extended deny ip host 148.177.33.11 any
    access-list no-nat extended deny ip host 10.35.224.41 any
    nat (JJNet) 0 access-list no-nat

  5. Rodrigo says:

    Hey Joey, did you find out an answer to your question regarding deny ACE statements in a NAT(0) ACL?, any clue will be appreciated. Thanks in advance!

Comments are closed.