Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
803
Views
0
Helpful
3
Replies

Nat-Control issue

Go to solution
Ganesan Palaniappan
Level 1
Level 1

‎12-24-2012 09:31 AM - edited ‎03-11-2019 05:40 PM

Hi All,

Attached a sample design of my setup.

The main objective is to manage the Router by using a secondary IP Address at the Router interface from DMZ Zone,

For your information, NAT Control is enabled on the Cisco ASA Firewall.

I assigned Secondary IP Address at the Router interface by using one of the free IP Address from the DMZ Zone range. Done a Reverse route for that IP address towards Firewall Outside interface.

Done a static NAT in the Firewall as Static(outside,DMZ) < DMZ IP >  < Router LAN IP > netmask 255.255.255.255.

Also required access ( for this i allowed any) has been allowed in all the interface Access group list.

Now the issue is , We are unable to reach the Router from DMZ Zone. But if i disabled NAT-Control i am able to take control.

Any way i don't need NAT-Control as per the setup, but still NAT-Control will not affect the Static NAT ( read some white papers), then why the configuration is not working?

Please explain me why it is not working if NAT-Control is enabled. I read about NAT Control and understood that all the Traffic passing through the interface should have a NAT Statement. In my case i guess i have static NAT. Correct me if i am wrong.

Regards,

Ganalagu

Labels:
140453-Sample.png
Preview file
17 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mariusz Bochen
Level 1
Level 1

‎12-28-2012 07:08 AM

Hi Ganesan,

Few questions:

Have you try the packet-tracer while nat-control enabled?

Would you be able to test it and post the results please?

Are you still using your static when nat-control disabled?

If you need nat-control enabled I would use nat 0 with an ACL or static for whole dmz network range (something like static (dmz, outside) netmask

Otherwise the packet will be dropped since the source address is not included in any nat rule (if I good understood your IP addressing).

Regards

Mariusz

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mariusz Bochen
Level 1
Level 1

‎12-28-2012 07:08 AM

Hi Ganesan,

Few questions:

Have you try the packet-tracer while nat-control enabled?

Would you be able to test it and post the results please?

Are you still using your static when nat-control disabled?

If you need nat-control enabled I would use nat 0 with an ACL or static for whole dmz network range (something like static (dmz, outside) netmask

Otherwise the packet will be dropped since the source address is not included in any nat rule (if I good understood your IP addressing).

Regards

Mariusz

0 Helpful

Go to solution
Ganesan Palaniappan
Level 1
Level 1
In response to Mariusz Bochen

‎12-28-2012 09:01 PM

Hi,

Yes, i done a identity NAT for the DMZ IP and now it is working . Now i understand the purpose of NAT Control. I got this answer because of Jenifer Halim posts.....

My special thanks to her and also to you for replying.

Regards,

Gan

0 Helpful

Go to solution
Mariusz Bochen
Level 1
Level 1
In response to Ganesan Palaniappan

‎12-31-2012 07:34 AM

You're very welcome.

Thanks for rating

Happy New Year

Regards

Mariusz

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top