topic Re: ASA nat-control issue in Network Security

ASA nat-control issue

lanli_ltp — Mon, 11 Mar 2019 17:56:29 GMT

We are looking for a clarification of ASA nat-control command. Unfortunately, we don't have spare device to test it out.

The situation is as follows:

An ASA firewall has three interfaces: "inside", "outside", and "corpinside".

nat-control is DISABLED.

A GLOBAL statment is defined on the "outside" interface and the correpsonding NAT statement on the "inside" interface, something like:

global(outside) 1 ...

nat (inside) 1 ...

We confirmed packets from "inside" to "outside" are allowed even for the packes that do not match any NAT rules (including Static NAT, DynamicNAT, and NAT Exempt).

The issue is what happens to traffice from "inside" to "corpinside" if no Dynamic NAT is defined from "inside" to "corpinside" and two interfaces have

different secuity levels.

One interpretation is: Since NAT is disabled, all traffic from "inside" to "corpinside" should be allowed.

Another interpretation: If dynamic NAT is configured on an interface, all traffic from that interface to any other interface must hit a NAT rule, therefore traffic from "inside" to "corpinside" should be denied .

We need a clarification of which interpretation is correct.

Also,if "inside" and "corpinside" are at the same security level, then is the traffic allowed?

Re: ASA nat-control issue

Federico Coto Fajardo — Tue, 08 Jun 2010 23:01:52 GMT

Hello,

I think here are the answer to your questions:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html

Federico.

Re: ASA nat-control issue

Federico Coto Fajardo — Tue, 08 Jun 2010 23:24:10 GMT

Taken from the link:

Even with NAT control disabled, you need to perform NAT on any addresses for which you configure dynamic NAT.
When NAT control is disabled, and a NAT and a global command pair are configured for an interface, the real IP addresses cannot go
out on other interfaces unless you define those destinations with the nat 0 access-list command.

Federico.

Re: ASA nat-control issue

lanli_ltp — Wed, 09 Jun 2010 02:06:48 GMT

Thanks for your information.

We had read the document you mentioned. Our interpretation at that time was the following.

If nat-control is disabled and dynamic NAT is defined on an interface on which traffic is originating, then packets going from that interface to any other interfaces must match NAT rules.

So, in the example I specified above, packets from "inside" to "outside" that do not match any NAT rule (including NAT Exempt rule) should have been dropped.

However, someone did device testing and told us that packets from "inside" to "outside" that match no NAT rule are actually allowed as is.

So that's why we are not sure what is the correct behavior of ASA nat-control.

Re: ASA nat-control issue

Panos Kampanakis — Wed, 09 Jun 2010 13:48:06 GMT

I am not sure if it clear but "match no NAT rule" does not mean that they do no match a nat rule. You could be matching no nat (nat exemption)

by matching nat (inside) 0 rule.

I hope it is clear now.

Re: ASA nat-control issue

lanli_ltp — Wed, 09 Jun 2010 14:29:35 GMT

Sorry for the confusion.

"Patcks that match no nat rules" means "Packets that do not match any NAT rules including Dynamic NAT, Static NAT, and NAT Exempt rules"