Feb 8, 2013

NAT Exemption for intra-interface traffic

Both sites A and B have IPsec L2L tunnels to HQ ASA. Remote users send traffic to the Web through the VPN tunnels and also communicate with each other.

HQ ASA has dynamic PAT rules to translate traffic coming from remote sites using the outside interface IP address before routing the traffic to the Web. It is also configured to allow intra-interface traffic:

nat (outside) 1
nat (outside) 1
nat (inside) 1 0 0
global (outside) 1 interface
same-security-traffic permit intra-interface

For traffic coming from a higher security level interface to a lower one (outbound traffic), you don't need to create a rule to exempt returning traffic from NAT:

Source: (inside)
Destination: (outside)

access-list inside-nonat permit ip
nat (inside) 0 access-list inside-nonat

However, if source and destination are routed through the same interface, you need to create two ACEs, otherwise returning traffic would match the PAT rule:

Feb 6, 2013

Multi-context FWSM ACL partition

When you convert a FWSM from single to multiple mode (security contexts), the system creates pools of resources (aka partitions). These pools limit the number of rules (ACEs, AAA rules, Policy NAT, and others) that can be created on each context. The FWSM uses 12 partitions by default (maximum value) and each context is assigned to its own partition, unless you have more than twelve contexts. In this case, the system will assign more than one context to each partition, sharing resources between them.