Hello Paul,

Thank you for the reply!

I have one doubt here on your below NAT statement for NAT outside to inside.

2No natting from outside to inside:

static (inside,outside) 10.2.1.0 10.2.1.0 netmask 255.255.255.0

static (inside,outside) 10.1.200.0 10.1.200.0 netmask 255.255.255.0

static (inside,outside) 10.1.222.0 10.1.222.0 netmask 255.255.255.0

IS the Static command should be 

static (outside,inside) 10.4.x.0 172.16.31.0 netmask 255.255.255.0..?

here 10.4.x.0 is Vendor network subnet and 172.16.31.0 is MY FW outside subnet

if not what scenarios the command will be

static (inside,outside) 10.1.200.0 10.1.200.0 netmask 255.255.255.0 for this requirement.

please let me know how we can use static ( inside, outside) ...to inititate traffic from outside to inside and what ACL should be used in regards to source to destintion for applying on in traffic for outside interface of FW.

Appreciate your help.

Regards,

KA.

Hi Karim,

Are you going to have any NAT configured at all on the firewall? If there is none configured, there is no need for the static or nat 0 statements above (given nat-control is disabled). All you need are ACLs on the outside interface to allow outside subnets to access the inside networks.

Regards,

Prapanch

Prapanch,

With 8.4 there is no "nat-control" AFAIK.  Can I configure an 8.4 ASA without any NAT commands at all and expect traffic to traverse the device (with appropriate ACLs)?

I was under the impression from the docs that you must at least do Identity NAT.

Hi Josh,

There is no concept of nat-control post 8.3 versions, so yes you would need atleast a identity nat configuration to pass the traffic through ASA. Kindly let me know if you need any config help.

Varun

Thank you Varun,

Here is what I am doing:

Customer  ->  ASA 5520  ->  3750X  ->  PIX  ->  Internet

I am protecting the "3750X" portion of the network from the Customer network.  The customer uses the Internet through the PIX.  There cannot be any NAT at all on the ASA.

I have some of this going on which seems to be the appropriate Identity NAT:

object network Inet

subnet 0.0.0.0 0.0.0.0

object network Inet

nat (3750x,customer) static 0.0.0.0

My ACLs are permit IP any any on both interfaces.  Customer has the lower security level.

=======

Connectivity from the Customer to the Internet is very spotty.  It almost looks like an MTU issue - some websites load, others do not, pings are good to go everywhere.  When I replace that ASA with a Cisco router, everything works great.

I want the ASA to behave like a router (no NAT) but provide nice ACL, packet inspection and logging features.  I could do this easily in the past with an ASA using "nat 0" or "no nat-control." 

Thoughts?

Hi Josh,

You would need the following nat config to exempt all customer network:

Lets say your customer network has 3 networks:

192.168.1.0

192.168.2.0

192.168.3.0

and youi want to exempt these networks completely:

Then you would need:

object-group network internal_subnets

  network-object subnet 192.168.1.0 255.255.255.0

  network-object subnet 192.168.2.0 255.255.255.0

  network-object subnet 192.168.3.0 255.255.255.0

nat (inside,outside) source static internal_subnets internal_subnets   (assuming your cust network is on the inside interafce)

Thats it.....

You just need these nats.

Thanks,

Varun

Consider that the entire Internet is "internal" in this configuration.  The customer is "external" and the 3750x areas + the Internet are "internal".

Josh,

Is that wat you are referring to:

Customer----------outside(ASA)inside---------3750-------------inside(PIX)outside---------------Internet

Then also no worries:

nat (outside,inside) source static internal_subnets internal_subnets

Thats it...

Hope this helps

Thanks,

Varun

And by internal_subnets do you mean 0.0.0.0/0?  If I only list the actual subnets in the 3750x area, the customer will not be able to reach the Internet.

Or would it be:

nat (outside,inside) source static customer_subnets customer_subnets

I mean the customer_subnets, the one that I mentioned in the configuration. On the PIX device you must be having a nat statement, something like:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1

so this would give internet access to all IP addresses on the inside.

Varun

I will give that a try next week and come back here to let you know.  Yes the PIX is NATing to the Internet.

Thanks!

- Josh

No problem Josh!!!!!

If you ahve any issues, do post ot to me.

Varun