Why to use Identity NAT for VPNs in ASA 8.3 and above?

Question: Why do we use Identity NAT for VPN traffic if NAT isn’t a mandatory requirement in ASA 8.3 and above?

Answer: If your VPNs are terminated on the outside interface and you have a Dynamic PAT being used on that interface then all traffic going in the direction of the Dynamic PAT (eg: inside to outside) will be matched against it and be translated as per the Dynamic PAT rule. This is why you have to define Identity NATs so that the VPN traffic is differentiated from normal traffic and is matched before the Dynamic PAT.

So to sum it up;

1. If you have a Dynamic PAT or any other form of NAT that shadows your VPN traffic then you need to define the Identity NAT statements and make sure they are at the top of the Unified NAT table.

2. And if you have a Dynamic PAT or any other form of NAT that does not shadow your VPN traffic at all, then you need not define any NAT statements.

The direction of the NAT is important. If there is a Dynamic PAT matching all traffic from inside-to-outside, and your VPN traffic is from dmz-to-outside, then again you don’t need any Identity NATs because there is no Dynamic PAT for the dmz-to-outside traffic.

Note: Identity NAT for VPNs (having the source and destination specified) are placed in the Section 1 of the unified NAT table and will always have preference over the Auto NAT section i.e. Section II. Dynamic PAT has the least preference amongst all the flavors of NAT and will always be placed at the bottom of Section II in the unified NAT table.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s