Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2587
Views
0
Helpful
3
Replies

No NAT-CONTROL with NAT rules configured

Go to solution
robert confino
Level 1
Level 1

‎08-21-2013 07:22 AM - edited ‎03-11-2019 07:28 PM

Our ASA is running 8.0 code. In the ADSM, nat-control was inadvertantly turned off.   We will be turning nat-control back on in a future maintenance window.

Do the configured NAT rules still influence packet flow in this condition?  In other words, if additional NAT rules were configured would they work even if they are not required (by virture of no nat control)?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-21-2013 07:40 AM

Hi,

NAT configurations should work and be applied whatever the "nat-control" setting is. The default setting for your software level is "no nat-control" but to my understanding if the device was upgraded from some earlier software this command might be enabled to keep the setup the same way.

You should be able to use the "packet-tracer" command to confirm what happens to each packet (simulate packets entering some interface) and confirm which translation they hit or dont hit. If you need help with the command format, please ask,

Cisco 8.0 Command Reference suggest having "no nat-control" and rather using ACL to enforce access rules.

Here a quote from the document

 Usage Guidelines 


 NAT control requires that packets traversing from an inside interface to  an outside interface match a NAT rule; for any host on the inside  network to access a host on the outside network, you must configure NAT  to translate the inside host address. 


 The nat-control command is used for NAT  configurations defined with earlier versions of the security appliance.  The best practice is to use access rules for access control instead of  relying on the absence of a NAT rule to prevent traffic through the  security appliance. 


 Interfaces at the same security level are not required to use NAT to  communicate. However, if you configure dynamic NAT or PAT on a same  security interface with NAT control enabled, then all traffic from the  interface to a same security interface or an outside interface must  match a NAT rule. 


 Similarly, if you enable outside dynamic NAT or PAT with NAT control,  then all outside traffic must match a NAT rule when it accesses an  inside interface. 


 Static NAT with NAT control does not cause these restrictions. 


 By default, NAT control is disabled, so you do not need to perform NAT on any networks unless you choose to perform NAT.

The "nat-control" is actually a setting that Cisco removed from the firewall software in 8.3 (when NAT format changed completely) so if you were to upgrade the ASA to even newer software it would mean that the whole concept of "nat-control" would already be gone.

I have personally never relied on its use.

Here is some links for more information

Software 8.0 Command Reference - nat-control command

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1753422

Software 8.0 Configuration Guide

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1065218

Hope these help.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to robert confino

‎08-21-2013 08:36 AM

Hi,

Glad if it helped.

I have almost only used the new NAT format for some time now so I am starting to forget some NAT related specifics of the 8.2 and below softwares.

I did also write a NAT document about 8.3+ NAT format though it would require some work done still

Here is a link to it:

https://supportforums.cisco.com/docs/DOC-31116

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more though and I will see if I can answer your question.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-21-2013 07:40 AM

Hi,

NAT configurations should work and be applied whatever the "nat-control" setting is. The default setting for your software level is "no nat-control" but to my understanding if the device was upgraded from some earlier software this command might be enabled to keep the setup the same way.

You should be able to use the "packet-tracer" command to confirm what happens to each packet (simulate packets entering some interface) and confirm which translation they hit or dont hit. If you need help with the command format, please ask,

Cisco 8.0 Command Reference suggest having "no nat-control" and rather using ACL to enforce access rules.

Here a quote from the document

 Usage Guidelines 


 NAT control requires that packets traversing from an inside interface to  an outside interface match a NAT rule; for any host on the inside  network to access a host on the outside network, you must configure NAT  to translate the inside host address. 


 The nat-control command is used for NAT  configurations defined with earlier versions of the security appliance.  The best practice is to use access rules for access control instead of  relying on the absence of a NAT rule to prevent traffic through the  security appliance. 


 Interfaces at the same security level are not required to use NAT to  communicate. However, if you configure dynamic NAT or PAT on a same  security interface with NAT control enabled, then all traffic from the  interface to a same security interface or an outside interface must  match a NAT rule. 


 Similarly, if you enable outside dynamic NAT or PAT with NAT control,  then all outside traffic must match a NAT rule when it accesses an  inside interface. 


 Static NAT with NAT control does not cause these restrictions. 


 By default, NAT control is disabled, so you do not need to perform NAT on any networks unless you choose to perform NAT.

The "nat-control" is actually a setting that Cisco removed from the firewall software in 8.3 (when NAT format changed completely) so if you were to upgrade the ASA to even newer software it would mean that the whole concept of "nat-control" would already be gone.

I have personally never relied on its use.

Here is some links for more information

Software 8.0 Command Reference - nat-control command

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1753422

Software 8.0 Configuration Guide

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1065218

Hope these help.

- Jouni

0 Helpful

Go to solution
robert confino
Level 1
Level 1
In response to Jouni Forss

‎08-21-2013 08:22 AM

Thank you for the quick response. My mind is still confused moving between 8.0 and 8.4+ platforms when the topic gets to NAT. The answer is -exactly- what I needed. The information is found elsewhere but not stated as clearly as in your reply.

We are working with a legacy device (migration from PIX) so the nat-control configuration was maintained (and must be by our secpolicy). I really appreciate the tip about packet tracer. It will be helpful to validate our current state.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to robert confino

‎08-21-2013 08:36 AM

Hi,

Glad if it helped.

I have almost only used the new NAT format for some time now so I am starting to forget some NAT related specifics of the 8.2 and below softwares.

I did also write a NAT document about 8.3+ NAT format though it would require some work done still

Here is a link to it:

https://supportforums.cisco.com/docs/DOC-31116

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more though and I will see if I can answer your question.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card