https://community.cisco.com/t5/network-security/disabling-nat-control/m-p/2132040#M393944 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>In short, to my understanding, when NAT-CONTROL is enabled you will always need a NAT rule that applies to the traffic going through the firewall. If the traffic doesnt have any NAT rule configured it doesnt go through.</P><P></P><P>On the other hand if the NAT-CONTROL is DISABLED the traffic doesnt (necesarily) need a NAT rule.</P><P></P><P>Access-rules are best handled by using ACLs and not relying if NAT configuration exists or not.</P><P></P><P>Also I have never relied on the interface security-levels to define what traffic is allowed</P><P></P><P></P><P>A small portion from a Cisco document for ASA 8.2 software level regarding "nat-control"</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><H2> Default Settings </H2><P></P><P><A name="wp1085922"></A></P><P> By default, NAT control is disabled; therefore, you do not need to&nbsp; perform NAT on any networks unless you want to do so. If you upgraded&nbsp; from an earlier version of software, however, NAT control might be&nbsp; enabled on your system. Even with NAT control disabled, you need to&nbsp; perform NAT on any addresses for which you configure dynamic NAT</P></PRE><P></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 18 Dec 2012 22:14:51 GMT Jouni Forss 2012-12-18T22:14:51Z https://community.cisco.com/t5/network-security/disabling-nat-control/m-p/2132039#M393941 <P>Dear,</P><P></P><P>I have a ASA 5520 with nat Control enabled in my job. This firewall is very critical for bussiness process, so I'd like to confirm with you what happen if I disable this control. This command is an update legacy of the IOS version from a Cisco PIX to this ASA.</P><P></P><P>I read alot about it and for my perspective is not going to happen nothing if a disable this control of the ASA. The only thing is the security fails on the Acl's of the interfaces.</P><P></P><P>What are your reviews and experience?</P><P></P><P>Best regards.</P><P></P><P>Hector.-</P> Tue, 12 Mar 2019 00:38:51 GMT https://community.cisco.com/t5/network-security/disabling-nat-control/m-p/2132039#M393941 javi_cesp 2019-03-12T00:38:51Z https://community.cisco.com/t5/network-security/disabling-nat-control/m-p/2132040#M393944 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>In short, to my understanding, when NAT-CONTROL is enabled you will always need a NAT rule that applies to the traffic going through the firewall. If the traffic doesnt have any NAT rule configured it doesnt go through.</P><P></P><P>On the other hand if the NAT-CONTROL is DISABLED the traffic doesnt (necesarily) need a NAT rule.</P><P></P><P>Access-rules are best handled by using ACLs and not relying if NAT configuration exists or not.</P><P></P><P>Also I have never relied on the interface security-levels to define what traffic is allowed</P><P></P><P></P><P>A small portion from a Cisco document for ASA 8.2 software level regarding "nat-control"</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><H2> Default Settings </H2><P></P><P><A name="wp1085922"></A></P><P> By default, NAT control is disabled; therefore, you do not need to&nbsp; perform NAT on any networks unless you want to do so. If you upgraded&nbsp; from an earlier version of software, however, NAT control might be&nbsp; enabled on your system. Even with NAT control disabled, you need to&nbsp; perform NAT on any addresses for which you configure dynamic NAT</P></PRE><P></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 18 Dec 2012 22:14:51 GMT https://community.cisco.com/t5/network-security/disabling-nat-control/m-p/2132040#M393944 Jouni Forss 2012-12-18T22:14:51Z