https://community.cisco.com/t5/network-security/logging-and-nat-rules-question/m-p/1902142#M436561 <P>Hi all</P><P>I have an asa with the latest asdm. I have 2 questions</P><P></P><P>When doing a no Nat rule between 2 destinations, do I create a nat rule with my source and destination, then in the bottom box keep both as original ? How do I know if nat control is enabled on the GUI ?</P><P></P><P>I need to see some logs for something that is getting denied, on the bottom of each acl I don't see the implicit deny rule, do i need to create one at the bottom of my acl in question and turn logging to debugging?</P><P></P><P>Many thanks </P> Mon, 11 Mar 2019 23:08:55 GMT carl_townshend 2019-03-11T23:08:55Z https://community.cisco.com/t5/network-security/logging-and-nat-rules-question/m-p/1902142#M436561 <P>Hi all</P><P>I have an asa with the latest asdm. I have 2 questions</P><P></P><P>When doing a no Nat rule between 2 destinations, do I create a nat rule with my source and destination, then in the bottom box keep both as original ? How do I know if nat control is enabled on the GUI ?</P><P></P><P>I need to see some logs for something that is getting denied, on the bottom of each acl I don't see the implicit deny rule, do i need to create one at the bottom of my acl in question and turn logging to debugging?</P><P></P><P>Many thanks </P> Mon, 11 Mar 2019 23:08:55 GMT https://community.cisco.com/t5/network-security/logging-and-nat-rules-question/m-p/1902142#M436561 carl_townshend 2019-03-11T23:08:55Z https://community.cisco.com/t5/network-security/logging-and-nat-rules-question/m-p/1902143#M436562 <HTML><HEAD></HEAD><BODY><P>Hello Carl,</P><P></P><P>Is the requirement to know it via ASDM or can it be via CLI.</P><P></P><P>If CLI I can help you right now.</P><P></P><P>Do a sh run nat-control ( If you are running a version higher than 8.3 nat control will be disabled by default)</P><P></P><P>Regarding the not nat Rule, Yes you have to let them original. </P><P></P><P>Now regarding the ACL in order to log it you need to create it ( By default the implicit deny will not generate a log)</P><P></P><P>Regards,</P><P></P><P>Do rate all the helpful posts</P><P></P><P>Julio</P><P></P><P>Cisco Security Engineer</P></BODY></HTML> Sat, 19 May 2012 03:28:43 GMT https://community.cisco.com/t5/network-security/logging-and-nat-rules-question/m-p/1902143#M436562 Julio Carvajal 2012-05-19T03:28:43Z https://community.cisco.com/t5/network-security/logging-and-nat-rules-question/m-p/1902144#M436563 <HTML><HEAD></HEAD><BODY><P> Hi</P><P>so if we run 8.4 then is trafic allowed to flow throught he device without nat by default ?</P><P></P><P>also with the logging messages, so are you saying that i need to create an implicit deny under each of my access lists to see the deny logs ?</P><P></P><P>cheers</P></BODY></HTML> Sat, 19 May 2012 09:32:03 GMT https://community.cisco.com/t5/network-security/logging-and-nat-rules-question/m-p/1902144#M436563 carl_townshend 2012-05-19T09:32:03Z https://community.cisco.com/t5/network-security/logging-and-nat-rules-question/m-p/1902145#M436564 <HTML><HEAD></HEAD><BODY><P>Hello Carl,</P><P></P><P>from 8.3 to new versions Nat control is disabled, so if a packet from a higher security level wants to go to a lower version</P><P>there is no need for a NAT statement as required on 8.2 or lower versions.</P><P></P><P>If you want to see the deny logs yes you will need to do that.</P><P></P><P></P><P>Regards,</P><P></P><P></P><P><SPAN style="text-decoration: underline;"><EM><STRONG>DO Rate all the helpful posts</STRONG></EM></SPAN></P><P></P><P></P><P>Julio</P></BODY></HTML> Sat, 19 May 2012 19:10:04 GMT https://community.cisco.com/t5/network-security/logging-and-nat-rules-question/m-p/1902145#M436564 Julio Carvajal 2012-05-19T19:10:04Z https://community.cisco.com/t5/network-security/logging-and-nat-rules-question/m-p/1902146#M436565 <HTML><HEAD></HEAD><BODY><P> Hi There</P><P></P><P>what about if traffic say from outside (low security interface) needs access to a host in the inside (high security) interface, do we need to do configure a nat exemption for this ?</P><P></P><P>Many thanks</P><P></P><P>Carl</P></BODY></HTML> Mon, 21 May 2012 11:37:22 GMT https://community.cisco.com/t5/network-security/logging-and-nat-rules-question/m-p/1902146#M436565 carl_townshend 2012-05-21T11:37:22Z https://community.cisco.com/t5/network-security/logging-and-nat-rules-question/m-p/1902147#M436567 <HTML><HEAD></HEAD><BODY><P>Hello Carl,</P><P></P><P>Not at all you do not need that, but if you have a private ip address for the internal host you will need to nat it to the outside world to make it routable... but that is common sense.</P><P></P><P>It is not required to used it ( if you have on the inside interface public ip addresses then you will not need to do the NAT)</P><P></P><P>Hope this helps.</P><P></P><P>Please let me know if you have any other question if not please mark the question as answered.</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Mon, 21 May 2012 17:36:08 GMT https://community.cisco.com/t5/network-security/logging-and-nat-rules-question/m-p/1902147#M436567 Julio Carvajal 2012-05-21T17:36:08Z