Identity Nat v Exemption NAT

Discussion in 'Cisco' started by Kenny D, May 8, 2004.

  1. Kenny D

    Kenny D Guest

    Hello,

    I configured the following

    nat (inside) 0 0
    static (inside,outside) 172.16.1.1 172.16.1.1 netmask
    255.255.255.255

    Also on the outside acl i permit any for testing. I
    want to be able to initiate connections from both the
    inside and outside. With the above config i could
    initiate conn's from the inside but not the outside
    until i changed the config to

    nat (inside) 0 access-list inside-nets
    static (inside,outside) 172.16.1.1 172.16.1.1 netmask
    255.255.255.255

    Is this the difference between identity nat and nat
    exemption and if so what exactly is going on here?

    Thanks.
     
    Kenny D, May 8, 2004
    #1
    1. Advertising

  2. In article <>,
    Kenny D <> wrote:
    :I configured the following

    :nat (inside) 0 0
    :static (inside,outside) 172.16.1.1 172.16.1.1 netmask 255.255.255.255

    :Also on the outside acl i permit any for testing. I
    :want to be able to initiate connections from both the
    :inside and outside.

    Initiate connections to where? The above would allow you to
    initiate connections from the outside to the host 172.16.1.1 .

    :With the above config i could
    :initiate conn's from the inside but not the outside
    :until i changed the config to

    :nat (inside) 0 access-list inside-nets
    :static (inside,outside) 172.16.1.1 172.16.1.1 netmask 255.255.255.255

    You do not give us any information about what the inside-nets access-list
    looks like.


    :Is this the difference between identity nat and nat
    :exemption and if so what exactly is going on here?

    identity map: each IP is mapped to itself, but
    incoming connections are not permitted unless there is also an
    appropriate static. Proxy arp is supported unless it has been turned off.

    nat exemption: each IP is mapped to itself, and incoming connections are
    permitted even if there is no static configured. Proxy arp is not supported.


    If you are setting up an IPSec tunnel, then if you do not want the
    traffic to be NAT'd, use nat exemption, not identity map.

    I usually think of identity map as having an additional layer of
    security relative to nat exemption, in that if you configure identity
    map, and your incoming ACL has a destination of 'any', then traffic
    will not be permitted to the inside hosts unless you configure a
    static; whereas, when if use nat 0 access-list thinking that all it
    does is "leave the IPs unchanged as they go out", and your incoming
    ACL has a destination of 'any', you are in for a surprise if you thought
    not having a static was going to protect your hosts. In theory, the
    two have the same security power, but it is human nature to tend
    to be overly general on access-lists, so security accidents are
    more *likely* with nat exemption.
    --
    "There are three kinds of lies: lies, damn lies, and statistics."
    -- not Twain, perhaps Disraeli, first quoted by Leonard Courtney
     
    Walter Roberson, May 8, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Anonymous Poster
    Replies:
    0
    Views:
    10,607
    Anonymous Poster
    Apr 26, 2004
  2. AM
    Replies:
    1
    Views:
    1,146
    Walter Roberson
    Dec 30, 2004
  3. Cen
    Replies:
    2
    Views:
    924
  4. Replies:
    1
    Views:
    650
  5. NAT Exemption

    , Jan 28, 2008, in forum: Cisco
    Replies:
    0
    Views:
    572
Loading...

Share This Page