topic Why CISCO ASA does NATing by default and not ROUTing ? in Network Security

Why CISCO ASA does NATing by default and not ROUTing ?

Peter Nemec — Mon, 11 Mar 2019 21:12:28 GMT

Hello,

my question may sound stupid, but please explain to me the following behavior.

CISCO ASA 5505

Interfaces:

OUTSIDE - 194.50.90.221 255.255.255.0 / security level 0

DMZ - 192.168.12.254 255.255.255.0 / security level 25

INSIDE - 192.168.0.6 255.255.255.0 / security level 50

Now, if I want to ping from the DMZ to INSIDE, I get an error message "no translation group found for icmp src DMZ: ...... dst: INSIDE...."

I fixed is by adding "NAT 0" onto the INSIDE interface so that packets originating from "INSIDE" that are destined for "DMZ" do not get NAT'd.

Now my question is, becasue these are all directly connected networks, how come the firewall does not route the packets, but tries to NAT them instead... ???

Why CISCO ASA does NATing by default and not ROUTing ?

varrao — Tue, 16 Aug 2011 15:39:40 GMT

Hi Peter,

You would need the nat command only if you have nat-control enabled on the ASA, if it is no nat-control, you would just need an access-list to go from your dmz to inside.

You can check this by:

show run nat-control

It will tell you whether it is enabled or not.

Hope this helps.

Thanks,

Varun

Why CISCO ASA does NATing by default and not ROUTing ?

Collin Clark — Tue, 16 Aug 2011 15:41:13 GMT

A firewall is a security device. It's role is to separate trusted and untrusted networks. Part of that separation is controlled by the security level. You can't go from a less secure network to a more secure network without you specifically granting access (both NAT and ACL).

Why CISCO ASA does NATing by default and not ROUTing ?

Peter Nemec — Tue, 16 Aug 2011 16:54:54 GMT

Thanks guys, makes sense now

This was just one of the thinks I wanted to have clarified

yes it is a firewall and not a router

By the way, I am still a bit confused, because I tried to run the "show run nat-control" and it shows "no nat-control"...

Yes I previously added access-lists to allow ICMP traffic flowing from lower sec level to higher sec level, but wont work without having NAT 0 specified in INSIDE interface...

But yeah, makes sense that because this is a firewall and no router, by default, It's supposed to provide the least-permissive conditions for traffic to flow through its interfaces...

Why CISCO ASA does NATing by default and not ROUTing ?

varrao — Tue, 16 Aug 2011 17:45:46 GMT

Hi Peter,

Kindly go through the doc, if you have qany queries, feel free to drop in:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html

-Varun

Why CISCO ASA does NATing by default and not ROUTing ?

Peter Nemec — Wed, 17 Aug 2011 08:48:30 GMT

Thanks all again, I have read the last article, makes sense, cheers

Why CISCO ASA does NATing by default and not ROUTing ?

varrao — Wed, 17 Aug 2011 09:03:57 GMT

Sure Peter , you can mark the thread as answered if your queries are resolved.

-Varun