Configure ACLs and Content Filters
nat 0 ACLs

The nat 0 command enables a host or network to be exempt from NAT. The nat 0 access-list command takes this a step further by enabling administrators to exempt from NAT any traffic that is matched by an access-list entry . Destination-sensitive nat 0 access-list is usually used in VPN scenarios.

In Figure the users in the corporate office wish to communicate with the branch site over a VPN tunnel. To accomplish this, the administrator employs nat 0 access-list. The IP source network, 10.0.0.0/24, and IP destination network, 10.200.0.0/24, are defined in the ACL. The ACL is applied to the nat 0 command. Any VPN traffic originating at 10.0.0.0/24 and destined for 10.200.0.0/24 is not translated by the PIX. For example, the internal host 10.0.0.11 will be permitted to bypass NAT when connecting to outside host 10.200.0.3. The nat 0 access-list supports both inbound and outbound connections with no restrictions.

Figure shows the syntax of the nat 0 access-list command.

In Figure the home office/small office worker wants to access the corporate network via VPN without local translation, and the Internet with a translated address. To access the corporate network, nat 0 access-list is configured. The access-list, VPN-NO-NAT, defines both the source network of the traffic, 10.100.1.0, and the destination network, 10.10.0.0. Any traffic that matches the access-list statement is not translated. Corporate traffic is not translated by the PIX.

The second scenario is to translate any traffic bound for the Internet. The nat (inside) 1 statement defines the source network, 10.100.1.0. The global address is based on the IP address of the outside interface. The nat 0 command takes precedence over the nat (inside) 1 command. Any packets that match the ACL are transmitted without translation. Any 10.100.1.0 network packets that do not match the VPN-NO-NAT access list are translated by the PIX.