Disabling NAT 0 on ASA 5540?

jkeeffe · ‎12-31-2007

I am using an ASA-5540 strickly for IPsec VPN lan-2-lan tunnels and will never be NATing outbound as we have a public Class-B address space.

Since I'm never going to be NATing, can I disable the nat 0 and no-nat funcationality completely so that the ASDM doesn't always supply a no nat line for every ACL entry? I'll have 100s of host and network objects and don't want to no-nat any of them.

If so, how do I disable that?

JORGE RODRIGUEZ · ‎01-01-2008

I believe you can accomplish this through the use of no nat-control command in ASA, I personaly have not faced this scenario but have read about it , look into the nat-control disabling/enabling command and its purpose, I think it should provide you with what you are looking for.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f31a.shtml#backinfo

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/no_711.html#wp1603837

Rgds

Jorge

Jorge Rodriguez

ahsankhan · ‎01-02-2008

Hi,

Looks like you simply need to disable NAT on the firewall, you should have some lines like below.

nat (inside) 0 access-list natzero

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 0 access-list natzero

nat (DMZ) 1 0.0.0.0 0.0.0.0

you can remove access-list part and this will remove natzero config, if you need to remove NAT all together then you may want to remove nat statements all together. however you need to look for traffic between different segments as removing NAT from firewall completely is not a good idea.

jkeeffe · ‎01-02-2008

Would it be a good idea to remove NAT completely if we don't ever use private address spaces - even in a DMZ scenario?

srue · ‎01-03-2008

like someone already said, the 'no nat-control' command is what you're looking for. If you need to nat anything at a later time, you can still do so. the 'no nat-control' command doesn't mean you can't nat, only that you don't have to nat.