
[Network Address Translation (NAT)](/network-address-translation-nat) exemption, also known as NAT bypass or [NAT traversal](/ipsec-how-it-works-with-nat-t), is a feature used in [VPN](/vpn) configurations on Cisco devices to allow VPN traffic to bypass NAT processing. This is necessary because NAT can interfere with the [IPsec](/ipsec) VPN traffic, especially since IPsec relies on the integrity of the [IP](/ipv4) headers, which NAT modifies. Here’s a detailed explanation of NAT exemption in the context of VPNs on Cisco devices:

### What is NAT Exemption?
NAT exemption is a configuration that ensures certain traffic (specifically VPN traffic) is not subjected to NAT translation. By exempting VPN traffic from NAT, the original source and destination IP addresses are preserved, allowing for the proper establishment and functioning of the VPN tunnel.

### Why is NAT Exemption Needed?
1. **IPsec Integrity**: IPsec protocols (like [ESP and AH](/ipsec-nat-ah-and-esp)) rely on the original IP headers to ensure data integrity and authenticity. NAT alters these headers, causing the integrity checks to fail and the VPN traffic to be dropped.
2. **Address Consistency**: For VPN connections, the internal IP addresses need to be consistent and recognizable by both ends of the VPN tunnel. NAT can change these addresses, leading to misrouting or inability to establish the tunnel.
3. **Protocol Limitations**: Certain protocols used in VPNs (like AH in IPsec) cannot handle NAT due to their design, which includes the original IP headers in their hash calculations.

### How NAT Exemption Works on Cisco Devices
On Cisco devices, NAT exemption can be configured using Access Control Lists (ACLs) to define which traffic should be exempt from NAT. Here's how it is typically configured:

1. **Define the Traffic to be Exempt**:
   - Create an ACL that matches the traffic to be exempt from NAT. This usually includes traffic between the internal network and the VPN peers.

2. **Apply the ACL to the NAT Configuration**:
   - Configure the NAT rules to bypass NAT for the traffic matched by the ACL.

NAT exemption is a critical configuration in Cisco VPN setups to ensure that VPN traffic bypasses NAT processing, preserving the integrity and functionality of the VPN connection.

Links:

https://forum.networklessons.com/t/vpn-tunnel-due-to-nat-issue/48395/2?u=lagapidis

https://networklessons.com/cisco/asa-firewall/cisco-asa-nat-exemption

VPN - NAT Exemption

TCP RST flag

TCP SYN timeout

TCP header options

TCP phantom byte

TCP-IP model

TFTP

Tcl Shell

Telnet

Time to live

Traceroute - Interpreting output

Traceroute asterisk and !H responses

Traceroute

Transparent Cisco IOS Firewall use cases

Transport Layer port number

Troubleshooting - using Telnet to test transport layer ports

Troubleshooting a slow network

Troubleshooting high CPU and memory usage on a switch

UDP - Header

UDP - Maximum Datagram Size

Unicast Reverse Path Forwarding (uRPF)

Unicast traffic

Unknown unicast traffic

Upgrade your R&S skills to modern networking

VACL - Changes to ACL are active immediately

VACL - use cases

VACL vs ACL

VLAN - Extended Range

VLAN - Native VLAN best practices

VLAN - Native VLAN on a router on a stick

VLAN - Private VLAN

VLAN - QinQ troubleshooting

VLAN - Trunk interfaces don't appear in `show vlan` output

VLAN - VLAN IDs 0 and 4095

VLAN Access Lists

VLAN Mapping

VLAN SVI status

VLAN Tag

VLAN control frames

VLAN

VLANs - 802.1Q tunneling (QinQ)

VLANs - Dynamic VLAN membership (VMPS)

VLANs - QinQ and CDP

VLANs - Vlans allowed and active in management domain

VLANs - when a tagged frame arrives on an access port

VLANs SVI

VPN - IKEv2 peer address of 0.0.0.0 0.0.0.0

VPN - Interesting Traffic

VPN - crypto keepalive

VPN - default gateway for site to site VPN

VPN - default gateway of VPN client

VPN - split tunneling

VPN DVTI tunnel source

VRF - Definition mode

VRF - VPNv4 address

VRF capability vrf-lite command

VRF lite route leaking

VRF sharing across multiple routers

VRF use cases

VRRP - Virtual IP doesn't respond to pings

VRRP - load balancing

VRRP - support for authentication

VRRP - using the same ID on different interfaces

VRRP - using the same ID on subinterfaces

VRRP on sub-interfaces

VTP - Client can't modify VLANs

VTP - Code Field

VTP - Multiple Servers with VTP version 2

VTP - Per interface configuration

VTP - Pruning the Extended VLAN ID Range

VTP - Revision Numbers on transparent switch

VTP - Versions

VTP - domain name automatically changes

VTP - employing in an emulator

VTP - protecting switches from lower revision numbers

VTP Advertisements

VTP configuration checklist

VTP filtering shared VLANs

VTP how to disable the VLAN trunking protocol

VTP operation over trunks

VTP primary server

VTP revision number maximum

VTP revision number reset

VTP revision number

VXLAN - Control Plane Options

VXLAN - Use Cases

VXLAN - VLAN to VNI mapping

VXLAN - using an MP-BGP EVN control plane

VXLAN access trunk port

VXLAN

Value of Cisco certifications

Very-high-bit-rate  Digital Subscriber Line (VDSL)

Virtual Private LAN Service (VPLS)

Virtual Private Wire Service (VPWS)

Virtual Router Redundancy Protocol (VRRP)