Actually I was doing NAT exemption on ASA 8.0, so I was not able to do NAT exemption from lower security level to higher security level, but I was able to do NAT exempt from higher to lower security level, please tell me how it works?
Why is it not possible to do NAT exemption from lower to higher security level on ASA 8.0
cisco-asa
Related Topic
- ASA Inspect Everything – Cisco ASA Configuration Guide
- VPN Security – Security Level of Remote Site-to-Site VPN Network
- Does First ACL Rule Remove Implicit ‘To Less Secure’ Rule in Cisco ASA?
- ASA Traceroute from Lower to Higher Security Level – How It Works
- Cisco ASA – security levels vs. implicit global access rule
Best Answer
NAT Exemption is by definition bi-directional. If I have the following networks, with the following security-levels and IPs:
There will never be a case where I DON'T want to NAT between my Inside and DMZ, but I DO want to NAT between my DMZ and Inside. I'll either want to NAT, or not-NAT, between INSIDE/DMZ or DMZ/INSIDE, regardless of the direction or network where the traffic was initiated.
So Cisco, to avoid making you configure NAT Exemption in both directions, chose to make it by-directional by default. And to leave ambiguity out, simply arbitrarily picked "High to Low" as the correct method for configuring NAT Exemption.
Much like NAT is typically configured from "High to Low" security levels.