05-18-2012 04:28 PM - edited 03-11-2019 04:08 PM
Hi all
I have an asa with the latest asdm. I have 2 questions
When doing a no Nat rule between 2 destinations, do I create a nat rule with my source and destination, then in the bottom box keep both as original ? How do I know if nat control is enabled on the GUI ?
I need to see some logs for something that is getting denied, on the bottom of each acl I don't see the implicit deny rule, do i need to create one at the bottom of my acl in question and turn logging to debugging?
Many thanks
Solved! Go to Solution.
05-21-2012 10:36 AM
Hello Carl,
Not at all you do not need that, but if you have a private ip address for the internal host you will need to nat it to the outside world to make it routable... but that is common sense.
It is not required to used it ( if you have on the inside interface public ip addresses then you will not need to do the NAT)
Hope this helps.
Please let me know if you have any other question if not please mark the question as answered.
Regards,
Julio
05-18-2012 08:28 PM
Hello Carl,
Is the requirement to know it via ASDM or can it be via CLI.
If CLI I can help you right now.
Do a sh run nat-control ( If you are running a version higher than 8.3 nat control will be disabled by default)
Regarding the not nat Rule, Yes you have to let them original.
Now regarding the ACL in order to log it you need to create it ( By default the implicit deny will not generate a log)
Regards,
Do rate all the helpful posts
Julio
Cisco Security Engineer
05-19-2012 02:32 AM
Hi
so if we run 8.4 then is trafic allowed to flow throught he device without nat by default ?
also with the logging messages, so are you saying that i need to create an implicit deny under each of my access lists to see the deny logs ?
cheers
05-19-2012 12:10 PM
Hello Carl,
from 8.3 to new versions Nat control is disabled, so if a packet from a higher security level wants to go to a lower version
there is no need for a NAT statement as required on 8.2 or lower versions.
If you want to see the deny logs yes you will need to do that.
Regards,
DO Rate all the helpful posts
Julio
05-21-2012 04:37 AM
Hi There
what about if traffic say from outside (low security interface) needs access to a host in the inside (high security) interface, do we need to do configure a nat exemption for this ?
Many thanks
Carl
05-21-2012 10:36 AM
Hello Carl,
Not at all you do not need that, but if you have a private ip address for the internal host you will need to nat it to the outside world to make it routable... but that is common sense.
It is not required to used it ( if you have on the inside interface public ip addresses then you will not need to do the NAT)
Hope this helps.
Please let me know if you have any other question if not please mark the question as answered.
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide