cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1400
Views
5
Helpful
4
Replies

Internet working without nat

InTheJuniverse
Level 1
Level 1

We are on Cisco ASA 5516.

 

There is an interface 10.50.70.0/23 on the firewall and it has outbound access list set to 'permit any'. But there is no NAT configured for this interface.

 

Yet, systems behind this interface are able to access internet, how is that possible? I thought NAT was mandatory.

 

Packet tracer:

 

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop X.X.X.X (gateway) using egress ifc outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
(Access list permit ip any any snipped)
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map sfr
match access-list sfr_redirect
policy-map global_policy
class sfr
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 386155607, packet dispatched to next module

Result:
input-interface: XXXXX
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

NAT isn't required on the ASA per se.

There could be an upstream device performing NAT for the clients behind the ASA.

Our ASA is the only device that does all the NAT.

Marvin Rhoads
Hall of Fame
Hall of Fame

What does traceroute show you?

I jumped the gun!

 

I looked at the asdm logs and assumed the packets are going through. ACL allowed everything, hence the logs, but on the end host interent access didn't work.

 

Thank you again!

Review Cisco Networking for a $25 gift card