The nat 0 command enables a host or network to
be exempt from NAT. The nat 0 access-list command takes
this a step further by enabling administrators to exempt from NAT any traffic
that is matched by an access-list entry
.
Destination-sensitive nat 0 access-list is usually used in
VPN scenarios.
In Figure
the
users in the corporate office wish to communicate with the branch site over a
VPN tunnel. To accomplish this, the administrator employs nat 0
access-list. The IP source network, 10.0.0.0/24, and IP destination
network, 10.200.0.0/24, are defined in the ACL. The ACL is applied to the
nat 0 command. Any VPN traffic originating at 10.0.0.0/24
and destined for 10.200.0.0/24 is not translated by the PIX. For example, the
internal host 10.0.0.11 will be permitted to bypass NAT when connecting to
outside host 10.200.0.3. The nat 0 access-list supports
both inbound and outbound connections with no restrictions.
Figure
shows the syntax
of the nat 0 access-list command.
In Figure
the home
office/small office worker wants to access the corporate network via VPN
without local translation, and the Internet with a translated address. To
access the corporate network, nat 0 access-list is
configured. The access-list, VPN-NO-NAT, defines both the source network of the
traffic, 10.100.1.0, and the destination network, 10.10.0.0. Any traffic that
matches the access-list statement is not translated. Corporate traffic is not
translated by the PIX.
The second scenario is to translate any traffic
bound for the Internet. The nat (inside) 1 statement
defines the source network, 10.100.1.0. The global address is based on the IP
address of the outside interface. The nat 0 command takes
precedence over the nat (inside) 1 command. Any packets
that match the ACL are transmitted without translation. Any 10.100.1.0 network
packets that do not match the VPN-NO-NAT access list are translated by the
PIX.