Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1558
Views
0
Helpful
3
Replies

Help on ASA 5515X 8.6 IOS for NAT Control

arabindas
Level 1
Level 1

‎02-22-2013 05:16 AM - edited ‎03-11-2019 06:04 PM

Hello Team,

I am in a process of replacing the Cisco ASA 5510 with 7.3 OS with a new Cisco ASA 5515X with 8.6OS. In the existing Cisco ASA 5510, we have configured 'no nat-control' for which the traffic from all sub-interfaces were flowing to the lower security interfaces without any NAT command. Just access-lists were configured.

Now how do i acheive the same in the Cisco ASA 5515X with 8.6? I do not find any 'no nat-control' command available for it.

Thanks

Arabinda

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎02-22-2013 05:37 AM

Hi,

With new ASA software 8.3 and onwards the default operation is that traffic passes the ASA even without NAT translation.

So if you dont want NAT between LAN and DMZ for example you simply dont configure any NAT

Hope this helps

Naturally ask more if you want to clarify something related to the NAT.

- Jouni

0 Helpful

arabindas
Level 1
Level 1
In response to Jouni Forss

‎02-22-2013 06:11 AM

Thank you Juoni.

Do you think the following configuration should work?

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 10.x.x.x 255.255.255.224

interface Ethernet0/2

speed 100

duplex full

no nameif

no security-level

no ip address

interface Ethernet0/2.701

vlan 701

nameif project1-servers

security-level 70

ip address 172.x.x.x 255.255.255.0

!

access-list outside-acl extended permit ip any any

access-group outside-acl in interface outside

access-list project1-servers-acl extended permit tcp object-group project1-server-network object-group project1-urls object-group project1-ports time-range project1-url

access-list project1-servers-acl extended permit ip object-group project1-server-network host x.x.x.x

access-list project1-servers-acl extended permit tcp object-group project1-server-network host x.x.x.x eq 445

access-list project1-servers-acl extended permit tcp object-group project1-server-network host x.x.x.x object-group project1-ports time-range project1-url

access-list project1-servers-acl extended permit tcp object-group project1-server-network host x.x.x.x object-group project1-ports time-range project1-url

access-list project1-servers-acl extended permit tcp object-group project1-server-network object-group citrix-appcloud-servers object-group citrix-appcloud-ports

access-group project1-servers-acl in interface project1-servers

dhcprelay server x.x.x.x outside

dhcprelay enable project1-servers

route outside 0.0.0.0 0.0.0.0 10.x.x.x

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to arabindas

‎02-22-2013 06:46 AM

Hi,

I guess the ASA isnt directly connected to Internet itself. I'm just looking at the "permit ip any any" rule which would allow all traffic.

If you dont configure any sort of NAT configurations on the firewall it will simply pass the traffic without NAT.

I can't comment on the other ACL as I dont know the whole network and what are contained in the object-groups.

Without NAT configuration you just simply need to make sure that routing is configured correctly and that the traffic is allowed by the ACL.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card