08-21-2013 07:22 AM - edited 03-11-2019 07:28 PM
Our ASA is running 8.0 code. In the ADSM, nat-control was inadvertantly turned off. We will be turning nat-control back on in a future maintenance window.
Do the configured NAT rules still influence packet flow in this condition? In other words, if additional NAT rules were configured would they work even if they are not required (by virture of no nat control)?
Solved! Go to Solution.
08-21-2013 07:40 AM
Hi,
NAT configurations should work and be applied whatever the "nat-control" setting is. The default setting for your software level is "no nat-control" but to my understanding if the device was upgraded from some earlier software this command might be enabled to keep the setup the same way.
You should be able to use the "packet-tracer" command to confirm what happens to each packet (simulate packets entering some interface) and confirm which translation they hit or dont hit. If you need help with the command format, please ask,
Cisco 8.0 Command Reference suggest having "no nat-control" and rather using ACL to enforce access rules.
Here a quote from the document
Usage Guidelines
NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address.
The nat-control command is used for NAT configurations defined with earlier versions of the security appliance. The best practice is to use access rules for access control instead of relying on the absence of a NAT rule to prevent traffic through the security appliance.
Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface with NAT control enabled, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule.
Similarly, if you enable outside dynamic NAT or PAT with NAT control, then all outside traffic must match a NAT rule when it accesses an inside interface.
Static NAT with NAT control does not cause these restrictions.
By default, NAT control is disabled, so you do not need to perform NAT on any networks unless you choose to perform NAT.
The "nat-control" is actually a setting that Cisco removed from the firewall software in 8.3 (when NAT format changed completely) so if you were to upgrade the ASA to even newer software it would mean that the whole concept of "nat-control" would already be gone.
I have personally never relied on its use.
Here is some links for more information
Software 8.0 Command Reference - nat-control command
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1753422
Software 8.0 Configuration Guide
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1065218
Hope these help.
- Jouni
08-21-2013 08:36 AM
Hi,
Glad if it helped.
I have almost only used the new NAT format for some time now so I am starting to forget some NAT related specifics of the 8.2 and below softwares.
I did also write a NAT document about 8.3+ NAT format though it would require some work done still
Here is a link to it:
https://supportforums.cisco.com/docs/DOC-31116
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more though and I will see if I can answer your question.
- Jouni
08-21-2013 07:40 AM
Hi,
NAT configurations should work and be applied whatever the "nat-control" setting is. The default setting for your software level is "no nat-control" but to my understanding if the device was upgraded from some earlier software this command might be enabled to keep the setup the same way.
You should be able to use the "packet-tracer" command to confirm what happens to each packet (simulate packets entering some interface) and confirm which translation they hit or dont hit. If you need help with the command format, please ask,
Cisco 8.0 Command Reference suggest having "no nat-control" and rather using ACL to enforce access rules.
Here a quote from the document
Usage Guidelines
NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address.
The nat-control command is used for NAT configurations defined with earlier versions of the security appliance. The best practice is to use access rules for access control instead of relying on the absence of a NAT rule to prevent traffic through the security appliance.
Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface with NAT control enabled, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule.
Similarly, if you enable outside dynamic NAT or PAT with NAT control, then all outside traffic must match a NAT rule when it accesses an inside interface.
Static NAT with NAT control does not cause these restrictions.
By default, NAT control is disabled, so you do not need to perform NAT on any networks unless you choose to perform NAT.
The "nat-control" is actually a setting that Cisco removed from the firewall software in 8.3 (when NAT format changed completely) so if you were to upgrade the ASA to even newer software it would mean that the whole concept of "nat-control" would already be gone.
I have personally never relied on its use.
Here is some links for more information
Software 8.0 Command Reference - nat-control command
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1753422
Software 8.0 Configuration Guide
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1065218
Hope these help.
- Jouni
08-21-2013 08:22 AM
Thank you for the quick response. My mind is still confused moving between 8.0 and 8.4+ platforms when the topic gets to NAT. The answer is -exactly- what I needed. The information is found elsewhere but not stated as clearly as in your reply.
We are working with a legacy device (migration from PIX) so the nat-control configuration was maintained (and must be by our secpolicy). I really appreciate the tip about packet tracer. It will be helpful to validate our current state.
08-21-2013 08:36 AM
Hi,
Glad if it helped.
I have almost only used the new NAT format for some time now so I am starting to forget some NAT related specifics of the 8.2 and below softwares.
I did also write a NAT document about 8.3+ NAT format though it would require some work done still
Here is a link to it:
https://supportforums.cisco.com/docs/DOC-31116
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more though and I will see if I can answer your question.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide