Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2639
Views
0
Helpful
2
Replies

ASA 8.2 no nat-control

kunal-united
Level 1
Level 1

‎11-20-2011 10:15 AM - edited ‎03-11-2019 02:53 PM

Hi,

ASA5540# sh run nat-control

no nat-control

this means higher security can talk to lower security without NAT rules

Question 1) - if I want higher security zone to to talk to lower security with NAT rules. I would use statements like below. Am I correct?

nat (dmz) 1 0.0.0.0 0.0.0.0

nat (inside) 1 0.0.0.0 0.0.0.0

global (dmz) 1 interface

global (inside) 1 interface

Is this correct? So in this case I am kindly of like overriding the no nat-control statement ...right?

Question 2) - Now I have no nat-control enabled. Would the below statements (nat 0) be of any use for NAT exemption??

nat (dmz) 0 access-list dmz-nonat

nat (inside) 0 access-list dbase-nonat

And do I have to have a global statement for NAT 0 ...like below?

global (dmz) 0 access-list dmz-nonat

global (apps) 0 access-list dbase-nonat

...let me whatever you need I am ready to provide you the necessary info.

Thanks

Labels:
0 Helpful
2 Replies 2

ajay chauhan
Level 7
Level 7

‎11-20-2011 10:36 AM

Frist of all nat-control is disbaled by default once you turn on then only nat rules are required.

global (outside) 1 interface

nat (dmz) 1 0.0.0.0 0.0.0.0

nat (inside) 1 0.0.0.0 0.0.0.0

This if you can say for internet traffic .

If

NAT-CONTROL

is enabled in 8.2 and below, for Inside to DMZ traffic flow you must have a NAT statement such as this:


static (inside,DMZ) 10.10.10.0  10.10.10.0  netmask 255.255.255.0

So: if NAT-CONTROL is enabled, traffic from higher security to lower security

zone must be NAT’d.  If NAT-CONTROL is NOT enabled, then as long as

routing and ACL’s are satisfied, traffic from inside to DMZ would flow

normally.

for more info -http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/nat_82.pdf

Thanks

Ajay

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎11-20-2011 11:26 AM

Hello Kunal,

Answer of question 1: If you want to allow outbound connections from the outside to the inside ( Higher to lower security level interface) yes a PAT will work for that.

Answer of question 2: If you do not have nat control enabled you are not translating anything so what would be the purpose of the Nat 0, now the whole idea of the NAT 0 is DO NOT translate this, so why would you use a global for that, so NO there is no global on the nat 0.

Please rate helpful post,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card