Solved: Logging and nat rules question

carl_townshend · ‎05-18-2012

Hi all

I have an asa with the latest asdm. I have 2 questions

When doing a no Nat rule between 2 destinations, do I create a nat rule with my source and destination, then in the bottom box keep both as original ? How do I know if nat control is enabled on the GUI ?

I need to see some logs for something that is getting denied, on the bottom of each acl I don't see the implicit deny rule, do i need to create one at the bottom of my acl in question and turn logging to debugging?

Many thanks

Julio Carvajal · ‎05-21-2012

Hello Carl,

Not at all you do not need that, but if you have a private ip address for the internal host you will need to nat it to the outside world to make it routable... but that is common sense.

It is not required to used it ( if you have on the inside interface public ip addresses then you will not need to do the NAT)

Hope this helps.

Please let me know if you have any other question if not please mark the question as answered.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎05-18-2012

Hello Carl,

Is the requirement to know it via ASDM or can it be via CLI.

If CLI I can help you right now.

Do a sh run nat-control ( If you are running a version higher than 8.3 nat control will be disabled by default)

Regarding the not nat Rule, Yes you have to let them original.

Now regarding the ACL in order to log it you need to create it ( By default the implicit deny will not generate a log)

Regards,

Do rate all the helpful posts

Julio

Cisco Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

carl_townshend · ‎05-19-2012

Hi

so if we run 8.4 then is trafic allowed to flow throught he device without nat by default ?

also with the logging messages, so are you saying that i need to create an implicit deny under each of my access lists to see the deny logs ?

cheers

Julio Carvajal · ‎05-19-2012

Hello Carl,

from 8.3 to new versions Nat control is disabled, so if a packet from a higher security level wants to go to a lower version

there is no need for a NAT statement as required on 8.2 or lower versions.

If you want to see the deny logs yes you will need to do that.

Regards,

DO Rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

carl_townshend · ‎05-21-2012

Hi There

what about if traffic say from outside (low security interface) needs access to a host in the inside (high security) interface, do we need to do configure a nat exemption for this ?

Many thanks

Carl

Julio Carvajal · ‎05-21-2012

Hello Carl,

Not at all you do not need that, but if you have a private ip address for the internal host you will need to nat it to the outside world to make it routable... but that is common sense.

It is not required to used it ( if you have on the inside interface public ip addresses then you will not need to do the NAT)

Hope this helps.

Please let me know if you have any other question if not please mark the question as answered.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC