Showing results for 
Search instead for 
Did you mean: 


Level 1
Level 1


I have a ASA 5520 with nat Control enabled in my job. This firewall is very critical for bussiness process, so I'd like to confirm with you what happen if I disable this control. This command is an update legacy of the IOS version from a Cisco PIX to this ASA.

I read alot about it and for my perspective is not going to happen nothing if a disable this control of the ASA. The only thing is the security fails on the Acl's of the interfaces.

What are your reviews and experience?

Best regards.


1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni


In short, to my understanding, when NAT-CONTROL is enabled you will always need a NAT rule that applies to the traffic going through the firewall. If the traffic doesnt have any NAT rule configured it doesnt go through.

On the other hand if the NAT-CONTROL is DISABLED the traffic doesnt (necesarily) need a NAT rule.

Access-rules are best handled by using ACLs and not relying if NAT configuration exists or not.

Also I have never relied on the interface security-levels to define what traffic is allowed

A small portion from a Cisco document for ASA 8.2 software level regarding "nat-control"

Default Settings

By default, NAT control is disabled; therefore, you do not need to  perform NAT on any networks unless you want to do so. If you upgraded  from an earlier version of software, however, NAT control might be  enabled on your system. Even with NAT control disabled, you need to  perform NAT on any addresses for which you configure dynamic NAT

- Jouni

Review Cisco Networking products for a $25 gift card