Hi,
In short, to my understanding, when NAT-CONTROL is enabled you will always need a NAT rule that applies to the traffic going through the firewall. If the traffic doesnt have any NAT rule configured it doesnt go through.
On the other hand if the NAT-CONTROL is DISABLED the traffic doesnt (necesarily) need a NAT rule.
Access-rules are best handled by using ACLs and not relying if NAT configuration exists or not.
Also I have never relied on the interface security-levels to define what traffic is allowed
A small portion from a Cisco document for ASA 8.2 software level regarding "nat-control"
Default Settings
By default, NAT control is disabled; therefore, you do not need to perform NAT on any networks unless you want to do so. If you upgraded from an earlier version of software, however, NAT control might be enabled on your system. Even with NAT control disabled, you need to perform NAT on any addresses for which you configure dynamic NAT
- Jouni