02-22-2013 05:16 AM - edited 03-11-2019 06:04 PM
Hello Team,
I am in a process of replacing the Cisco ASA 5510 with 7.3 OS with a new Cisco ASA 5515X with 8.6OS. In the existing Cisco ASA 5510, we have configured 'no nat-control' for which the traffic from all sub-interfaces were flowing to the lower security interfaces without any NAT command. Just access-lists were configured.
Now how do i acheive the same in the Cisco ASA 5515X with 8.6? I do not find any 'no nat-control' command available for it.
Thanks
Arabinda
02-22-2013 05:37 AM
Hi,
With new ASA software 8.3 and onwards the default operation is that traffic passes the ASA even without NAT translation.
So if you dont want NAT between LAN and DMZ for example you simply dont configure any NAT
Hope this helps
Naturally ask more if you want to clarify something related to the NAT.
- Jouni
02-22-2013 06:11 AM
Thank you Juoni.
Do you think the following configuration should work?
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 10.x.x.x 255.255.255.224
interface Ethernet0/2
speed 100
duplex full
no nameif
no security-level
no ip address
interface Ethernet0/2.701
vlan 701
nameif project1-servers
security-level 70
ip address 172.x.x.x 255.255.255.0
!
access-list outside-acl extended permit ip any any
access-group outside-acl in interface outside
access-list project1-servers-acl extended permit tcp object-group project1-server-network object-group project1-urls object-group project1-ports time-range project1-url
access-list project1-servers-acl extended permit ip object-group project1-server-network host x.x.x.x
access-list project1-servers-acl extended permit tcp object-group project1-server-network host x.x.x.x eq 445
access-list project1-servers-acl extended permit tcp object-group project1-server-network host x.x.x.x object-group project1-ports time-range project1-url
access-list project1-servers-acl extended permit tcp object-group project1-server-network host x.x.x.x object-group project1-ports time-range project1-url
access-list project1-servers-acl extended permit tcp object-group project1-server-network object-group citrix-appcloud-servers object-group citrix-appcloud-ports
access-group project1-servers-acl in interface project1-servers
dhcprelay server x.x.x.x outside
dhcprelay enable project1-servers
route outside 0.0.0.0 0.0.0.0 10.x.x.x
02-22-2013 06:46 AM
Hi,
I guess the ASA isnt directly connected to Internet itself. I'm just looking at the "permit ip any any" rule which would allow all traffic.
If you dont configure any sort of NAT configurations on the firewall it will simply pass the traffic without NAT.
I can't comment on the other ACL as I dont know the whole network and what are contained in the object-groups.
Without NAT configuration you just simply need to make sure that routing is configured correctly and that the traffic is allowed by the ACL.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide