cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
420
Views
0
Helpful
1
Replies

Disabling NAT CONTROL

javi_cesp
Beginner
Beginner

Dear,

I have a ASA 5520 with nat Control enabled in my job. This firewall is very critical for bussiness process, so I'd like to confirm with you what happen if I disable this control. This command is an update legacy of the IOS version from a Cisco PIX to this ASA.

I read alot about it and for my perspective is not going to happen nothing if a disable this control of the ASA. The only thing is the security fails on the Acl's of the interfaces.

What are your reviews and experience?

Best regards.

Hector.-

1 Reply 1

Jouni Forss
Mentor
Mentor

Hi,

In short, to my understanding, when NAT-CONTROL is enabled you will always need a NAT rule that applies to the traffic going through the firewall. If the traffic doesnt have any NAT rule configured it doesnt go through.

On the other hand if the NAT-CONTROL is DISABLED the traffic doesnt (necesarily) need a NAT rule.

Access-rules are best handled by using ACLs and not relying if NAT configuration exists or not.

Also I have never relied on the interface security-levels to define what traffic is allowed

A small portion from a Cisco document for ASA 8.2 software level regarding "nat-control"

Default Settings

By default, NAT control is disabled; therefore, you do not need to  perform NAT on any networks unless you want to do so. If you upgraded  from an earlier version of software, however, NAT control might be  enabled on your system. Even with NAT control disabled, you need to  perform NAT on any addresses for which you configure dynamic NAT

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers