cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1147
Views
2
Helpful
10
Replies

NAT-Control on ASA

m-haddad
Level 5
Level 5

Hello,

I have an ASA with three interfaces Inside, outside and DMZ.

Outside security Level 0 IP: 62.x.x.x

Inside Security Level 100 IP: 10.200.0.1

DMZ security Level 90 IP: 192.168.2.1

I have three ACLS one on each interface. I want the inside hosts to communicate with the DMZ hosts without Static NAT or Global NAT. I disabled NAT-Control on the ASA.

The problem is that the Inside was not able to communicate with the DMZ until I added the below static:

static (inside,DMZ) 10.200.0.0 10.200.0.0 netmask 255.255.0.0

After that the Inside was able to COmmunicate to the DMZ and vice versa.

The weird problem is that ICMP was always dropped from inside to DMZ or DMZ to inside with the error: no translation group found for icmp srcinside:x.x.x.x and dstDMZ:x.x.x.x

I added a nother static NAT from DMZ to Inside

static (DMZ,inside) 192.168.2.0 192.168.2.0 netmaks 255.255.255.0

And it worked!!!!

Anybody can explain the above behavior and let me understand what did improvement disabling the nat control gave me?

Thanks in Advance,

Regards,

10 Replies 10

Collin Clark
VIP Alumni
VIP Alumni

The nat-control command on the PIX specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global, or a static statement) for that traffic to pass through the firewall. The nat-control command ensures that the translation behavior is the same as PIX Firewall versions earlier than 7.0. The default configuration of PIX 7.0 is the specification of the no nat-control command. With PIX Firewall version 7.0, you can change this behavior when you issue the nat-control command.

With nat-control disabled, the PIX forwards packets from a higher-security interface to a lower one without a specific translation entry in the configuration. In order to pass traffic from a lower security interface to a higher one, use access-lists to permit the traffic. The PIX then forwards the traffic.

But that's exactlly what has been done. He disabled nat control (it is the default but maybe it was enabled). then the inside hosts could not get to the dmz hosts UNTIL he used the static indentity nat command while it should work without nat (as nat control was disabled).

Has anyone else actually ever tried configuring PIX without NAT (7.0 and higer of course)?

As you said I disabled the nat-control. However, the nat-control did nothing for me. I had to do the Identity NAT entries from higher to lower security level and vice versa.

I wish to know if anybody has tried this scenario before,

Thanks,

I have this working between 3 interfaces with only access-lists configured using no nat-control.

Code is 7.1(2).

Also have the same scenario with 7.2.(1)19 code.

Are you sure there are no nat statements configured at all?

With no nat-control - although nat is not required, if you have a statement which a particular host matches eg when going from inside to outside, then nat has to be configured also when that host goes to the dmz.

hello,

refering to the URL below:

http://cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b7c.html

it says with no nat-control, NAT statements are not required.... I have actually heard this DOES WORK withouth the nat statements.. only the ACLs are required.. but it is always good to have identity nat configured, since u will have more control over the traffic flowing between interfaces.. otherwise, the pix firewall will just be like a router, forwarding traffic between two segments, without any restriction.....

Raj

jgervia_2
Level 1
Level 1

Hello,

I would do 2 things.

Make sure that you have disabled nat control properly with a 'no nat-control', take out the statics, and do a 'clear xlate' to make sure that the translations are gone.

do a 'show run nat-control' and make sure that 'no nat-control' shows up.

The other possibility is that you have a nat/global pair between those 2 interfaces that is making you require the use of statics.

--Jason

Hi .. I totally agree with Raj .. if you want the inside host to comunicate with the DMZ and at the same time take advantage of the security provided by the ASA then you have 2 options.

1.- either use a static identity NAT

2.- Use nat (interface-name) 0 access-list .. defining the interesting traffic that is NOT to be NATed with an access-list

Hello Guys,

I appreciate all your feedbacks. However, I opened a case with Cisco about this issue because even with Identity NAT I was having other problems. Jason had the right answer.

1- If you disable nat-control and you any nat/global pair you will need the identity NAT.

2- If you have identity NAT with ALIAS commands this can also cause a problem because traffic from DMZ back to inside won't work because of the alias command. The solution to this problem is DNS Doctoring.

Thanks again,

Glad to help. Pix nat is not a simple concept - I wish they would change it.

Don't forget to rate my previous message if it actually helped. :)

--Jason

Hello Jason,

I honestly opene a case with Cisco to get this clarified. I couldn't wait for so long to get a feedback through the forum. However, since you have tackled the problem I will do a simple rate for otherwise I would have rated it as 5.

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: