08-28-2010 03:10 PM - edited 03-11-2019 11:31 AM
Hi All,
Can someone explain me what is the use of command nat-control and no nat-controm on ASA. As I am newbie to ASA.
I tried to search a lot on internet but I didn't simple and explainative answer
Please can anyone help me out
Thanks
Solved! Go to Solution.
08-28-2010 05:17 PM
Hello,
That depends upon your requirement. You could hide your internal clients
behind a DMZ address by using NAT (if you want it to be more secure) or you
can certainly use NAT exemption. One drawback of NAT exemption (access-list
based nat 0 configuration) is that it will allow bi-directional connection.
So, anybody from DMZ can open connections to your internal network. Dynamic
PAT on the DMZ interface will ensure that nobody is allowed to open an
unauthorized connection from DMZ to inside.
In the reverse path, if you would like, you can force all your internal
clients to browse that server using its public IP as well. If you have an
internal DNS server that resolves all DNS queries for your domain, you have
the freedom of setting the A record for your website and set either public
IP or private IP based on your requirements. If you decide that you want to
use public IP, then you will need to use Static NAT. If you want to use
private IP, then you do not need to do anything. But if you want to use both
addresses, then you need to make use of policy-nat configurations.
Hope this helps.
Regards,
NT
08-28-2010 03:17 PM
Hello,
nat-control (or no nat-control) is a way of enforcing the NAT requirements
on the Cisco Firewall (pre 8.3 code versions). If you configure nat-control,
then the firewall enforce the rule that every packet going from higher
security to lower security needs a NAT rule configured. If you configure "no
nat-control", then the firewall will not enforce the NAT requirement as long
as you have not configured any NAT rule for a specific traffic flow on that
interface.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
86a008046f31a.shtml#backinfo
Hope this helps.
Regards,
NT
08-28-2010 04:02 PM
Thanks for your fast response
I would like to let you know that the link you provided is not available
What I understand from your explanation when we dont want to use NAT from High Security-level interface to low security interface level. For instance. from inside to dmz.
Can you give me an example for further clarification.
Thanks I really appreciate
08-28-2010 04:16 PM
Hello,
Here is the link again:
http://tinyurl.com/dmvylq
So, essentially, when you disable nat-control, you are allowed to go from
higher security interface to lower security interface without NAT. For
example, let us say you have a public IP range on your inside network and
DMZ network. Then, you actually do not need any NAT. So, you could disable
NAT control. The other scenario I can think of is if you have firewall just
to protect different network segments and you have a different device that
is handling NAT. In that case, again you can use "no nat-control".
http://tinyurl.com/6gcquh
Hope this helps.
Regards,
NT
08-28-2010 05:08 PM
Hi,
Assume that I have internal hosts and I want to allow them to access a Web Server residing in DMZ segment, And this server has Private IP address for eg:172.16.1.5. Therfore in that case I can use exempt nat, this is what explaination I got after surfing on the web.
Please advice.
08-28-2010 05:17 PM
Hello,
That depends upon your requirement. You could hide your internal clients
behind a DMZ address by using NAT (if you want it to be more secure) or you
can certainly use NAT exemption. One drawback of NAT exemption (access-list
based nat 0 configuration) is that it will allow bi-directional connection.
So, anybody from DMZ can open connections to your internal network. Dynamic
PAT on the DMZ interface will ensure that nobody is allowed to open an
unauthorized connection from DMZ to inside.
In the reverse path, if you would like, you can force all your internal
clients to browse that server using its public IP as well. If you have an
internal DNS server that resolves all DNS queries for your domain, you have
the freedom of setting the A record for your website and set either public
IP or private IP based on your requirements. If you decide that you want to
use public IP, then you will need to use Static NAT. If you want to use
private IP, then you do not need to do anything. But if you want to use both
addresses, then you need to make use of policy-nat configurations.
Hope this helps.
Regards,
NT
08-28-2010 05:24 PM
hi,
Great,It was quite informative. I will be very thankfull if you can give me some command reference to configure Dynamic and Static NAT and ACL lists to accomplish this configuration.
08-28-2010 05:35 PM
Hello,
Here are the links again:
http://tinyurl.com/dmvylq
http://tinyurl.com/6gcquh
The first link has few examples and corresponding configuration commands.
Second one is a command reference guide.
Hope this helps.
Regards,
NT
08-28-2010 05:44 PM
Ok I will implement in my environment and do some tests. I will keep you update.Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide