NAT exemptions are often required when a single ASA appliance is performing NAT and terminating VPN connections. In ASA configurations prior to 8.3 and 8.4, NAT exemptions were configured with “nat 0 access-list <acl name>” and a related access-list.
nat (inside) 0 access-list nat_exemption
access-list nat_exemption extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
Configurations after 8.2 require the configuration of object groups and use the nat statements differently. There are some minor differences in some of the options for NAT in versions 8.4(1) and releases carrying the version number 8.3. The above configuration, might look like the following when configured on an ASA running the 8.4(2) of the ASA Operating System.
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-10.0.0.0
subnet 10.0.0.0 255.255.255.0
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.0.0.0 obj-10.0.0.0 no-proxy-arp
The items underlined are arbitrary names for the objects. These objects are brought together in the “nat” command. Since the same object name is used twice in the source, no source translation occurs.
The destination object groups perform a couple of functions. The first object name listed in the destination is the destination IP address prior to the packet going through the ASA. The second destination address is the destionation IP address of the packet after it goes through the ASA. Like the source address object name, these are the same. Therefore, no destination translation will be performed. However, the scope of the static xlate will be limited to what is defined in obj-10.0.0.0.