https://community.cisco.com/t5/network-security/allow-traffic-inter-interface-without-nat-still-need-quot-no-nat/m-p/953385#M917561 <HTML><HEAD></HEAD><BODY><P>Well, I know there have being a long time, but I finaly get the point.</P><P></P><P>Actually the ASA can route between interfaces without any nat or no nat, and it works well.</P><P></P><P>The problem occors when you have for example:</P><P></P><P>nat (inside) 1 0.0.0.0 0.0.0.0 </P><P>global (outside) 1 interface</P><P></P><P>Then when you try to communicate an inside host with an DMZ host you get the message (no translation group found.)</P><P></P><P>And it happen because you have an nat for all inside hosts but none glogal (with index 1 in this case) for DMZ.</P><P></P><P>If you dont have the originating host included in any "nat" you dont need a global or nat0 either.</P><P></P><P>If you want an inside host to be natted to outside and not natted to dmz you will need a nat0 anyway.</P></BODY></HTML> Thu, 07 May 2009 17:19:49 GMT guibarati 2009-05-07T17:19:49Z https://community.cisco.com/t5/network-security/allow-traffic-inter-interface-without-nat-still-need-quot-no-nat/m-p/953383#M917559 <P>I have implemented a few ASA firewall over the time and I have a question that I never solved.</P><P></P><P>There is an option on ASDM in the NAT screen that says " allow traffic between interfaces without NAT" or something like this. This option insert the "no nat-control" in the script and it is sopposed to allow traffic between interfaces without nat.</P><P>Even so every time I install a new ASA appliance and try to communicate Inside network with DMZ network I need an Static (inside,DMZ) or a "no nat" if I dont do that I see the error message:</P><P></P><P>No translation group foud for src x.x.x.x dst y.y.y.y</P><P></P><P>Does anybody knows why does it happens and if it's right to always need to use the no nat or static to communicate the two networks?</P> Mon, 11 Mar 2019 13:06:15 GMT https://community.cisco.com/t5/network-security/allow-traffic-inter-interface-without-nat-still-need-quot-no-nat/m-p/953383#M917559 guibarati 2019-03-11T13:06:15Z https://community.cisco.com/t5/network-security/allow-traffic-inter-interface-without-nat-still-need-quot-no-nat/m-p/953384#M917560 <HTML><HEAD></HEAD><BODY><P>If nat control is enabled then it is mandatory to implement NAT in the network using any type of NAT.If the Nat control is disabled then "NO NAT" can be used so that no address translation occurs.</P><P></P><P>For more info on "NO NAT" refer the url below:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00800942fe.shtml" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00800942fe.shtml</A></P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00800942ff.shtml" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00800942ff.shtml</A></P></BODY></HTML> Thu, 03 Jul 2008 17:34:18 GMT https://community.cisco.com/t5/network-security/allow-traffic-inter-interface-without-nat-still-need-quot-no-nat/m-p/953384#M917560 smahbub 2008-07-03T17:34:18Z https://community.cisco.com/t5/network-security/allow-traffic-inter-interface-without-nat-still-need-quot-no-nat/m-p/953385#M917561 <HTML><HEAD></HEAD><BODY><P>Well, I know there have being a long time, but I finaly get the point.</P><P></P><P>Actually the ASA can route between interfaces without any nat or no nat, and it works well.</P><P></P><P>The problem occors when you have for example:</P><P></P><P>nat (inside) 1 0.0.0.0 0.0.0.0 </P><P>global (outside) 1 interface</P><P></P><P>Then when you try to communicate an inside host with an DMZ host you get the message (no translation group found.)</P><P></P><P>And it happen because you have an nat for all inside hosts but none glogal (with index 1 in this case) for DMZ.</P><P></P><P>If you dont have the originating host included in any "nat" you dont need a global or nat0 either.</P><P></P><P>If you want an inside host to be natted to outside and not natted to dmz you will need a nat0 anyway.</P></BODY></HTML> Thu, 07 May 2009 17:19:49 GMT https://community.cisco.com/t5/network-security/allow-traffic-inter-interface-without-nat-still-need-quot-no-nat/m-p/953385#M917561 guibarati 2009-05-07T17:19:49Z