(Optional) Configure NAT Exemption
NAT exemption exempts addresses from translation and allows both translated and remote hosts to initiate connections with your protected hosts. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption enables you to specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT). Use static identity NAT to consider ports in the access list.
Before you begin
Check if NAT is configured on the targeted devices where remote access VPN policy is deployed. If NAT is enabled on the targeted devices, you must define a NAT policy to exempt VPN traffic.
Procedure
| Step 1 | On your Cisco Defense Orchestrator web interface, click Devices > NAT. | ||
| Step 2 | Select a NAT policy to update or click New Policy > Threat Defense NAT to create a NAT policy with a NAT rule to allow connections through all interfaces. | ||
| Step 3 | Click Add Rule to add a NAT rule. | ||
| Step 4 | On the Add NAT Rule window, select the following:
| ||
| Step 5 | On the Advanced tab, select Do not proxy ARP on Destination Interface. Do not proxy ARP on Destination Interface—Disables proxy ARP for incoming packets to the mapped IP addresses. If you use addresses on the same network as the mapped interface, the system uses proxy ARP to answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped address. This solution simplifies routing because the device does not have to be the gateway for any additional networks. You can disable proxy ARP if desired, in which case you need to be sure to have proper routes on the upstream router. | ||
| Step 6 | Click OK. |