Nat Exempt Issue



  • Hi all,

    Well i am new to pfSense FW, with a cisco ASA background,
    I have been looking for a way to expand the size of protected subnets in a VPN Tunnel build with my ASA, and i have chosen pfSense to be the new gateway, in a way that i build a new subnet (LAN for pfSense) with a WAN Address that exist already in the VPN Tunnel (LAN ASA), Easy way : the Wan of the pfsense is and IP address in the LAN of the ASA thats already exist in the VPN Tunnel protected network,
    So i have made my objectifs and expanded my network, every thing is going OK, until a user with two computers asked me why he can't reach his second PC, when i cheked i found that i have configured for him a desktop behind the pfsense and the laptop behind the ASA ( WAN pfSense) so as all FW do it will block initiating trafic on the wan interface.
    i solved that by disabling Firewall mode and turning the pfsense to a router only but that way i could not reach the VPN peers no more.
    I want to ask is there a way to configure (NAT Exempt/NAT 0 ASA backgroud) not to do nat when going to the wan addresse of the pfSense ( Inside ASA) but to do nat when going any where else,
    i m testing this on a virtual environnement before messing with the production LAN

    Thank you,
    ![PrtScr capture_2.jpg](/public/imported_attachments/1/PrtScr capture_2.jpg)
    ![PrtScr capture_2.jpg_thumb](/public/imported_attachments/1/PrtScr capture_2.jpg_thumb)


  • Netgate Administrator

    If you set outbound NAT to manual in Firewall: NAT: Outbound: then you can configure the NAT rules however you want. Alternatively if you disable NAT completely and use pfSense as a router only then you will need to tell the ASA about the subnet behind pfSense. Either via a static route or some routing protocol.

    Steve



  • Thank for your reply,
    Well i have already told the ASA about the subnet behind the pfsense, i have tried to ping from the ASA to an inside host of the pfsense, it worked after adding the appropriate rule, but i m can't figure the right way for manual NAT Outbound !!

    Thanks again


  • Netgate Administrator

    So the default outbound NAT rule (when it's set to auto) catches all traffic from the LAN subnet and NATs it. If you switch to manual you can change the destination to something like '!WAN subnet' such that it will still NAT traffic for anything beyond the ASA LAN. However clients in the ASA LAN (pfSense WAN) subnet will still not have a route back to the pfSense LAN subnet.
    I've not tried to setup anything like this but I would suggest that disabling NAT entirely will probably be easier to work with than having it partially enabled.

    Steve