Cisco ASA NAT Exemption

This topic is to discuss the following lesson:

Hello Rene,

What device did you use for the cloud? The one that I saw in gns3 has 3 interfaces, not 3. This lab requires 3 interfaces for the cloud device.

Hello Patrice

Because the two ASAs and the S3 server are on the same subnet in the topology, you can simply use a switch to represent the cloud. The prerequisite is that connectivity is achievable between those devices.

I hope this has been helpful!


Hi Rene and staff,
i lab this lesson in GNS3 like this
S1,S2, S3 are build with GNS3 appliance Networkers’s toolkit
Guest-webterm is a linux GUI client with firefox, build with the GNS3 appliance Webterm

My lab works fine, but i want to add these comments and questions
i prefer to name the internal subnet object as “INTERNAL” rather than “INSIDE”, not to be confused between a network object and the name (if) of the internal interface.
So the nat configuration becomes

  • nat (inside,outside) source static INTERNAL INTERNAL destination static LAN2 LAN2
  • nat (inside,outside) source static INTERNAL INTERNAL destination static LAN1 LAN1

Could you clarify this command step by step, because i am confused with the repetition of the network objects ?
Also i am confused with the place of the NAT commands: why are some NAT commands inside network objects, and some others in general config ?

  1. IOS and ASA are quite different when configuring VPN site to site (i used to configure vpn site to site with ios)
    Where you used “authentication pre-share” with IOS in phase 1, you have to use tunnel-group with ASA, is not it ?
    Cisco’s help says you have to use a WORD…but this is not working when you use a word that is not the IP address of the neighbor. The configuration is accepted, but this is not working. Do you know why ? So it is not working, but … suppose you use a WORD: in this case, it should be referenced in another place ? where ?

For your NAT, you’re saying this.

NAT the following:
NAT (INTERNAL IP) and change to (INTERNAL IP) in this case do not change it!
NAT (LAN2) and change to (LAN2) in this case do not change it!

NAT on ASA are broken the down like this every time.
Original Source IP:
Translated Source IP:
Destination IP:
Translated Destination IP:

If both source/destination stay the same, we are exempting them from all NAT statements, especially our PAT statement for internet traffic so they match our crypto ACL for a tunnel. This is called a NAT exemption for this reason.

You need to configure some variable within a tunnel group depending on the type. So you create it like you did with the tunnel-group NAME command. But you also need to clarify values.

As an example for a IPSec Remote Access Tunnel Group.
tunnel-group "tunnel_group_name" type ipsec-ra

For an IPSec RA tunnel for example, you need to configure some attributes.
tunnel-group "tunnel_group_name" general-attributes
In here you configure things like authentication servers, default group policy to reference.

For a L2L Tunnel group it might look something like this:

tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
no pre-shared-key
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 10 retry 2
1 Like

Hello Dominique

What’s happening here is something called “twice NAT” and is used to identify both the source and destination address in a single rule. As stated in this Cisco documentation:

Specifying both the source and destination addresses lets you specify that a source address should be translated to A when going to destination X, but be translated to B when going to destination Y, for example.

And actually, when you use the same object for both real and mapped addresses, you are doing a very special type of twice NAT called Identity NAT. This is where the real and mapped objects are the same. Identity NAT simply says “translate to the same address” or simply “don’t translate”.

You can find out more about Identity NAT at the following Cisco link:

You can also find out more at this post:

This has to do with the way in which NAT is applied. When the NAT statement is within the object, this kind of configuration is called network object NAT. It’s a quick and easy way to configure NAT for a single IP address or a range of addresses, or a subnet. The NAT command within the object is applied to the similarly configured subnet within the object. You can find out more about it here:

Looking at the lesson I do see a typo where the NAT statement was outside the object, so I’ll let Rene know to fix that…

This command will specify a tunnel-group, but you must create and configure the tunnel-group for it to function. This can be done using several command modes including:

tunnel-group general-attributes
tunnel-group ipsec-attributes
tunnel-group webvpn-attributes
tunnel-group ppp-attributes

One or more of the above should be used to enter the configuration mode of the particular attributes for this tunnel group. More about this can be found at this Cisco ASA command reference:

You can find out more details on how to configure these and what all of their parameters are at the following Cisco documentation:

Note that the entities called “tunnel-groups” are now called VPN connection profiles, however, the syntax seems to be the same.

I hope this has been helpful!


1 Like

Hello Laz,

I’ve tried this same config but the exemption only works on my topology when the NAT exemption statement is above the NAT statement for internet connection.

Basically this 3 order of statement works for me:
1st for DMZ to OUTSIDE statement (DMZ to INTERNET)
2nd for INSIDE to OUTSIDE exemption statement
3rd for INSIDE to OUTSIDE dynamic statement (INTERNAL TO INTERNET)

but when I swapped the 2nd and 3rd, the traffic coming from behind of the ASA will go through 2nd statement, not to the 3rd which is for the exemption.