topic Re: Nonat translation in Network Security

Nonat translation

Kmageshkumar — Mon, 11 Mar 2019 09:18:45 GMT

Hi,

Assume we are using an ASA with three zones configured,the security level of the each interface is as below,

INSIDE=100

TRUSTED=90

OUTSIDE=0

Also assume I have IP scheme 1.1.1.0/24 for inside,2.2.2.0/24 for trusted and 3.3.3.0/24 for outside.

I want to allow/permit the users from Trusted ,outside zones to inside without translation.

Please let me know the below configuration will work.

nat(trusted) 0 access-list nonattrust

nat(outside) 0 access-list nonatoutside

access-group outside in interface outside

access-group trust in interface trusted

access-list trust permit tcp host 2.2.2.5 host 1.1.1.5 eq 80

access-list nonattrust permit ip host 2.2.2.5 host 1.1.1.5

access-list outside permit tcp host 3.3.3.5 host 1.1.1.5 eq 80

access-list nonatoutside permit ip host 3.3.3.5 host 1.1.1.5

I am aware that for an inbound connection(lower to higher) static translation is required,but heared from one of my collegue that the above config will work.

Expecting an earliest reply.

Thanks and Regards,

Magesh

Re: Nonat translation

5220 — Sun, 14 Jan 2007 20:06:08 GMT

Hi,

On ASA there is an option to disable the need for mandatory traffic NAT, so no NAT 0 statement nedded. This will stil let you use NAT for specific traffic.

Give it a try.

Please rate if this helped.

Regards,

Daniel

Re: Nonat translation

Kmageshkumar — Tue, 16 Jan 2007 11:55:05 GMT

Hi,

I belive you are talking about the NAT-control feature.Please let me know whether the above config will work if i haven't use NAT-control.

Thanks,

Magesh

Re: Nonat translation

sachinraja — Tue, 16 Jan 2007 13:24:36 GMT

Hello Magesh,

As you know "nat-control" command was not there in 6.x version. But the default

behaviour back then was infact of "nat-control", meaning without a nat rule configured, inside traffic could not go outside.

However, in 7.x, the default is "no nat-control" which means inside traffic can

traverse the firewall towards outside even if there is no nat translation configured.

So basically with "no nat-control" you open up the door for the traffic to go through PIX even if there is no nat rule configured for that particular traffic.

Similarly for traffic from outside to inside with "no nat-control", you do not need any static defined either. The processing of an incoming packet continues (going through ACL and seeing if we should block it or

allow it, etc).

I think you should try the config on some test setup and confirm its working...

Hope this helps..

Raj

Re: Nonat translation

Kmageshkumar — Fri, 19 Jan 2007 01:45:48 GMT

Hi Raj,

Thanks much for your help.

Let me try this in the test setup and get back to you.

Thanks,

Magesh