https://community.cisco.com/t5/network-security/internet-working-without-nat/m-p/4484591#M1084320 <P>NAT isn't required on the ASA per se.</P> <P>There could be an upstream device performing NAT for the clients behind the ASA.</P> Tue, 12 Oct 2021 16:05:14 GMT Marvin Rhoads 2021-10-12T16:05:14Z https://community.cisco.com/t5/network-security/internet-working-without-nat/m-p/4484554#M1084319 <P>We are on Cisco ASA 5516.</P><P>&nbsp;</P><P>There is an interface 10.50.70.0/23 on the firewall and it has outbound access list set to 'permit any'. But there is no NAT configured for this interface.</P><P>&nbsp;</P><P>Yet, systems behind this interface are able to access internet, how is that possible? I thought NAT was mandatory.</P><P>&nbsp;</P><P>Packet tracer:</P><P>&nbsp;</P><P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P><P>Phase: 2<BR />Type: INPUT-ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Found next-hop X.X.X.X (gateway) using egress ifc outside</P><P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />(Access list permit ip any any snipped)<BR />Additional Information:</P><P>Phase: 4<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 5<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 6<BR />Type: SFR<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />class-map sfr<BR />match access-list sfr_redirect<BR />policy-map global_policy<BR />class sfr<BR />sfr fail-open<BR />service-policy global_policy global<BR />Additional Information:</P><P>Phase: 7<BR />Type: FOVER<BR />Subtype: standby-update<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 8<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 9<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 10<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 386155607, packet dispatched to next module</P><P>Result:<BR />input-interface: XXXXX<BR />input-status: up<BR />input-line-status: up<BR />output-interface: outside<BR />output-status: up<BR />output-line-status: up<BR />Action: allow</P> Tue, 12 Oct 2021 15:01:25 GMT https://community.cisco.com/t5/network-security/internet-working-without-nat/m-p/4484554#M1084319 InTheJuniverse 2021-10-12T15:01:25Z https://community.cisco.com/t5/network-security/internet-working-without-nat/m-p/4484591#M1084320 <P>NAT isn't required on the ASA per se.</P> <P>There could be an upstream device performing NAT for the clients behind the ASA.</P> Tue, 12 Oct 2021 16:05:14 GMT https://community.cisco.com/t5/network-security/internet-working-without-nat/m-p/4484591#M1084320 Marvin Rhoads 2021-10-12T16:05:14Z https://community.cisco.com/t5/network-security/internet-working-without-nat/m-p/4484601#M1084321 <P>Our ASA is the only device that does all the NAT.</P> Tue, 12 Oct 2021 16:21:51 GMT https://community.cisco.com/t5/network-security/internet-working-without-nat/m-p/4484601#M1084321 InTheJuniverse 2021-10-12T16:21:51Z https://community.cisco.com/t5/network-security/internet-working-without-nat/m-p/4484609#M1084322 <P>What does traceroute show you?</P> Tue, 12 Oct 2021 16:32:31 GMT https://community.cisco.com/t5/network-security/internet-working-without-nat/m-p/4484609#M1084322 Marvin Rhoads 2021-10-12T16:32:31Z https://community.cisco.com/t5/network-security/internet-working-without-nat/m-p/4485103#M1084329 <P>I jumped the gun!</P><P>&nbsp;</P><P>I looked at the asdm logs and assumed the packets are going through. ACL allowed everything, hence the logs, but on the end host interent access didn't work.</P><P>&nbsp;</P><P>Thank you again!</P> Wed, 13 Oct 2021 08:53:53 GMT https://community.cisco.com/t5/network-security/internet-working-without-nat/m-p/4485103#M1084329 InTheJuniverse 2021-10-13T08:53:53Z