Identity NAT (ASA 8.3/8.4)


In 8.2 and below we used to use the NAT exemptions (nat 0) to exempt traffic from being translated while going through the VPN and other such scenarios. In 8.3 and above there is no such term as ‘NAT exemption’, its just that the term used will be Identity NAT.

Identity NAT with source and destination specified (Policy Based NAT):

This works like a policy NAT but instead of defining an access-list and then referring the ACL in a nat statement, you define both of them in a single command. The source will be translated to itself if it is destined for the specified destination. If it is destined for a destination other than the specified one then this translation rule won’t be used and the selection will drop down to the next nat statement present in the NAT table and so on.

1. Create the network objects

ASA1(config)# object network internal_network
ASA1(config-network-object)#  subnet 172.16.1.0 255.255.255.0
ASA1(config-network-object)# object network remote_network
ASA1(config-network-object)#  subnet 192.168.1.0 255.255.255.0

2. Create the Identity NAT rule

ASA1(config)# nat (dmz,outside) source static internal_network internal_network destination static remote_network remote_network no-proxy-arp route-lookup

no-proxy-arp and route-lookup are two optional elements in this statement. But you want to use them in your Identity NAT statements!

Identity NAT with only the source specified:

Here, any traffic sourced from 172.16.1.0/24 will be translated to itself irrespective of the destination. You have to be very careful with this one.
Make sure it does not shadow any other translation statements in the NAT table for the same source subnet/hosts and if it does then you should really know what you’re doing! :-P

1. Create the network objects

ASA1(config)# object network internal_network
ASA1(config-network-object)#  subnet 172.16.1.0 255.255.255.0

2. Create the Identity NAT rule

ASA1(config)# nat (dmz,outside) source static internal_network internal_network no-proxy-arp route-lookup

Using the Network Object NAT for Identity NAT:

ASA1(config)# object network internal_network
ASA1(config-network-object)#  subnet 172.16.1.0 255.255.255.0
ASA1(config-network-object)# nat (dmz,outside) static internal_network no-proxy-arp route-lookup

This works exactly like the one in the 2nd example except that it is placed in the Section 2 of the Unified NAT table. You can use the Network Object NAT for Identity NAT, but in most of the cases you would want to use the Twice NATs shown in the 1st two examples as it gives you full control on the source/destination addresses and are placed in the section 1 of the Unified NAT table thus making them the most preferred choice over a Network Object NAT which falls under the Section 2 of the unified NAT table.

Here’s more on NAT -> https://networkology.net/tag/nat/

Advertisements

6 thoughts on “Identity NAT (ASA 8.3/8.4)

  1. Pre 8.3 version of ASA it’s required when you have nat-control enabled or if you want to bypass/override a previously matching NAT rule.

    Post 8.4 version of ASA, it’s required only if you want to bypass or override a previously matching NAT rule.

    Sorry for the delay in my response, I’ve been busy for a while. Hope the short reply to your question makes sense. :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s