Connect 2 ASA's together without NAT

jamescox3 · ‎01-29-2013

I have a strange business case that requires us to use 2 ASA's to protect an internal system. I'm trying to figure out if there is a way to connect the 2 without using a NAT between them.

The setup looks like this, sorry for the crude drawing

right now there is a route on asa2 0.0.0.0 0.0.0.0 10.1.1.1 1

there is no need for users on asa1 to reach the system behind asa2.

I think i should be able to just have ACL's on ASA2 to allow ports and host to the system behind it. but my gut says that I need a NAT

thanks for any input.

david.tran · ‎01-29-2013

the ASA, by default, has NAT disabled. You can be sure by typing this command "no nat-control". That will disable NAT altogether. Just do not use PAT, NAT command in the configuration. By doing so, you will turn NAT back on.

Easy right?

jamescox3 · ‎01-29-2013

Sounds easy enough.

I'm thinking that my security level should be equal on both ASA's since they are both trusted?

techinneed · ‎01-31-2013

Mr. Tran,

When you say to disable the NAT on the ASA ("no nat-control"), will this be for the entire appliance? Wouldn't the ASA act like any router/switch at that point with layer 3 functionality?

david.tran · ‎01-31-2013

Yes, with the following assumptions:

- You have ACL of "permit ip any any log" on all of the lower level interface,

- Remove all of the inspect from the configuration,

Then your ASA will behave "almost" like router at that point