Cisco ASA: NAT exemption

Remote access VPN

192.168.3.0/24 (vpnclient pool)===VPN===outside(ASA1)inside 192.168.1.0/24

Pre 8.3 version

nat (inside) 0 access-list NONAT
access-list NONAT extended permit ip any 192.168.3.0 255.255.255.0

or

access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Post 8.2 version

object network obj-vpnpool
subnet 192.168.3.0 255.255.255.0
nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool

or

nat (inside, outside) source static ins-net ins-net destination static obj-vpn obj-vpn

Site-to-site VPN

192.168.1.x/24 inside(ASA1)outside===VPN===outside(ASA2)inside 192.168.2.0/24

The protected networks on either end of the tunnel are part of the RFC1918 private address space. Therefore NAT must not occur for proper communication to happen between the IPSec Protected networks. However, NAT must occur for “InsideHost” to access other destinations on the Internet. This is a typical scenario that requires NAT Exemption.

Pre 8.3 version

nat (inside) 0 access-list NONAT
access-list NONAT extended permit ip 192.168.16.0 255.255.255.0 host 10.10.232.40

Post 8.2 version

object network obj-local
subnet 192.168.1.0 255.255.255.0
object network obj-remote
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote