topic Re: NAT-Control on ASA in Network Security

NAT-Control on ASA

m-haddad — Mon, 11 Mar 2019 08:58:23 GMT

Hello,

I have an ASA with three interfaces Inside, outside and DMZ.

Outside security Level 0 IP: 62.x.x.x

Inside Security Level 100 IP: 10.200.0.1

DMZ security Level 90 IP: 192.168.2.1

I have three ACLS one on each interface. I want the inside hosts to communicate with the DMZ hosts without Static NAT or Global NAT. I disabled NAT-Control on the ASA.

The problem is that the Inside was not able to communicate with the DMZ until I added the below static:

static (inside,DMZ) 10.200.0.0 10.200.0.0 netmask 255.255.0.0

After that the Inside was able to COmmunicate to the DMZ and vice versa.

The weird problem is that ICMP was always dropped from inside to DMZ or DMZ to inside with the error: no translation group found for icmp srcinside:x.x.x.x and dstDMZ:x.x.x.x

I added a nother static NAT from DMZ to Inside

static (DMZ,inside) 192.168.2.0 192.168.2.0 netmaks 255.255.255.0

And it worked!!!!

Anybody can explain the above behavior and let me understand what did improvement disabling the nat control gave me?

Thanks in Advance,

Regards,

Re: NAT-Control on ASA

Collin Clark — Mon, 20 Nov 2006 20:34:26 GMT

The nat-control command on the PIX specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global, or a static statement) for that traffic to pass through the firewall. The nat-control command ensures that the translation behavior is the same as PIX Firewall versions earlier than 7.0. The default configuration of PIX 7.0 is the specification of the no nat-control command. With PIX Firewall version 7.0, you can change this behavior when you issue the nat-control command.

With nat-control disabled, the PIX forwards packets from a higher-security interface to a lower one without a specific translation entry in the configuration. In order to pass traffic from a lower security interface to a higher one, use access-lists to permit the traffic. The PIX then forwards the traffic.

Re: NAT-Control on ASA

rkazmierczak — Mon, 20 Nov 2006 21:05:36 GMT

But that's exactlly what has been done. He disabled nat control (it is the default but maybe it was enabled). then the inside hosts could not get to the dmz hosts UNTIL he used the static indentity nat command while it should work without nat (as nat control was disabled).

Has anyone else actually ever tried configuring PIX without NAT (7.0 and higer of course)?

Re: NAT-Control on ASA

m-haddad — Tue, 21 Nov 2006 05:46:48 GMT

As you said I disabled the nat-control. However, the nat-control did nothing for me. I had to do the Identity NAT entries from higher to lower security level and vice versa.

I wish to know if anybody has tried this scenario before,

Thanks,

Re: NAT-Control on ASA

m.reay — Wed, 06 Dec 2006 05:47:03 GMT

I have this working between 3 interfaces with only access-lists configured using no nat-control.

Code is 7.1(2).

Also have the same scenario with 7.2.(1)19 code.

Are you sure there are no nat statements configured at all?

With no nat-control - although nat is not required, if you have a statement which a particular host matches eg when going from inside to outside, then nat has to be configured also when that host goes to the dmz.

Re: NAT-Control on ASA

sachinraja — Thu, 07 Dec 2006 02:29:13 GMT

hello,

refering to the URL below:

http://cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b7c.html

it says with no nat-control, NAT statements are not required.... I have actually heard this DOES WORK withouth the nat statements.. only the ACLs are required.. but it is always good to have identity nat configured, since u will have more control over the traffic flowing between interfaces.. otherwise, the pix firewall will just be like a router, forwarding traffic between two segments, without any restriction.....

Raj

Re: NAT-Control on ASA

jgervia_2 — Thu, 07 Dec 2006 02:43:47 GMT

Hello,

I would do 2 things.

Make sure that you have disabled nat control properly with a 'no nat-control', take out the statics, and do a 'clear xlate' to make sure that the translations are gone.

do a 'show run nat-control' and make sure that 'no nat-control' shows up.

The other possibility is that you have a nat/global pair between those 2 interfaces that is making you require the use of statics.

--Jason

Re: NAT-Control on ASA

Fernando_Meza — Thu, 07 Dec 2006 10:54:41 GMT

Hi .. I totally agree with Raj .. if you want the inside host to comunicate with the DMZ and at the same time take advantage of the security provided by the ASA then you have 2 options.

1.- either use a static identity NAT

2.- Use nat (interface-name) 0 access-list .. defining the interesting traffic that is NOT to be NATed with an access-list

Re: NAT-Control on ASA

m-haddad — Thu, 07 Dec 2006 17:26:26 GMT

Hello Guys,

I appreciate all your feedbacks. However, I opened a case with Cisco about this issue because even with Identity NAT I was having other problems. Jason had the right answer.

1- If you disable nat-control and you any nat/global pair you will need the identity NAT.

2- If you have identity NAT with ALIAS commands this can also cause a problem because traffic from DMZ back to inside won't work because of the alias command. The solution to this problem is DNS Doctoring.

Thanks again,

Re: NAT-Control on ASA

jgervia_2 — Fri, 08 Dec 2006 01:53:15 GMT

Glad to help. Pix nat is not a simple concept - I wish they would change it.

Don't forget to rate my previous message if it actually helped. 🙂

--Jason

Re: NAT-Control on ASA

m-haddad — Fri, 08 Dec 2006 20:32:35 GMT

Hello Jason,

I honestly opene a case with Cisco to get this clarified. I couldn't wait for so long to get a feedback through the forum. However, since you have tackled the problem I will do a simple rate for otherwise I would have rated it as 5.

Regards,