September 14, 2016
There are some situations when you configure Identity NAT. This type of NAT explicitly translates the networks to themselves. It is often used before PAT rule – for example if you want to put some traffic into VPN tunnel then you don’t want to translate it with your PAT rule.
Let’s take an example from Cisco ASA configuration. The following picture shows the traffic before the Identity NAT was configured – the PAT rule takes place and the traffic is not put inside any VPN tunnel.
Lets now configure Identity NAT before the PAT rule. Site1 is 10.10.1.0/24 network and Site3 is 10.10.3.0/24 network. They are translated to themselves (source and destination IP remains Original).
If you run the test again the Identity NAT will take precedence before the PAT rule and the traffic will be put inside VPN tunnel (the last position on the list on the picture below).