 
					
				
		
06-13-2013 08:14 AM - edited 03-11-2019 06:57 PM
Hi ,
We are using Cisco ASA 5550 with verison 8.0.5.
We having below setup in our network
Site 1 Site 2
| |
Fw -------> Metro ------> Int Fw ----Internet
Setup -
- Each site havin Cisco ASA 5550 with version 8.0.5 wherin nat-control is enable on both FW.
- If we want to access internet from Site 1 we need to put inside acl and put nonat for that.
- Then it will come to site 2 firewall and after putting acl and pat it goes to internet from site 2
Questions-
1) I would like to know about how NO NAT statement works on ASA.
for instance i have
nat (INSIDE) 0 access-list NO-NAT
In NO-NATaccess list I only need to mention it on IP level .Because when i entered the access list with tcp satements it removed the nat 0 statement from the interface and gave error as nat(INSIDE) 0 removed.
ERROR: ACE contains port, protocol, or deny. Removing NAT configuration
nat (INSIDE) 0 access-list NO-NAT
Is the behaviour of ASA normal ?
Do we have any alternative andy solution on the same?
2) Are we need to have nat-contol enable on asa where internet getway is not configured...?
Is there any impact if we disable the nat-control where internet gateway is not configured for e,g in site 1 as per our setup.
That would be really great if any one can explain this and give us solution on the same.
Regards
Pranav
Solved! Go to Solution.
06-13-2013 08:53 AM
Hi,
Cisco documentation and the warning message states that NAT0 access-list configuration can only contain "permit ip" statements between hosts/networks.
The reason why the NAT0 configuration gets removed is because you add an ACL statement which makes the ACL incompatible with the NAT0 configuration.
The only NAT configuration where using "permit tcp" or "permit udp" is accepted is Policy NAT/PAT configurations.
I would highly suggest NOT using NAT for controlling access through the firewall. If you ever happen to upgrade to software level 8.3 or newer then the "nat-control" will be no more and you cant even do this anymore.
I would suggest using interface based ACLs to control what traffic/connections are allowed through the ASA firewall.
If you remove "nat-control" there shouldnt be no problems. The problematic situation might more likely be if you wanted to ADD "nat-control" to an existing environment. Removing the "nat-control" should mean that Site1 ASA would no more require a NAT configuration for certain traffic to pass. Naturally other things could still affect if the connection goes through or not.
The default setting on the ASA should be that "nat-control" is DISABLED
Here is what Cisco documentation says
Default Settings
By default, NAT control is disabled; therefore, you do not need to perform NAT on any networks unless you want to do so. If you upgraded from an earlier version of software, however, NAT control might be enabled on your system. Even with NAT control disabled, you need to perform NAT on any addresses for which you configure dynamic NAT. See the Chapter 29 "Configuring Dynamic NAT and PAT," for more information about how dynamic NAT is applied.
Source:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html#wp1043201
If your Site1 ASA doesnt have any local Internet connection and has no need to NAT IP address locally you might even be able to remove "nat-control" and remove all NAT configurations from the ASA if you wanted. Alternatively you could simply configure NAT0 for each local network of Site1 towards any other network since Site2 should be the only device doing NAT towards Internet.
Hope this helps
Please remember to mark a reply as the correct answer if it answered your question.
Naturally ask more if needed
- Jouni
06-13-2013 08:53 AM
Hi,
Cisco documentation and the warning message states that NAT0 access-list configuration can only contain "permit ip" statements between hosts/networks.
The reason why the NAT0 configuration gets removed is because you add an ACL statement which makes the ACL incompatible with the NAT0 configuration.
The only NAT configuration where using "permit tcp" or "permit udp" is accepted is Policy NAT/PAT configurations.
I would highly suggest NOT using NAT for controlling access through the firewall. If you ever happen to upgrade to software level 8.3 or newer then the "nat-control" will be no more and you cant even do this anymore.
I would suggest using interface based ACLs to control what traffic/connections are allowed through the ASA firewall.
If you remove "nat-control" there shouldnt be no problems. The problematic situation might more likely be if you wanted to ADD "nat-control" to an existing environment. Removing the "nat-control" should mean that Site1 ASA would no more require a NAT configuration for certain traffic to pass. Naturally other things could still affect if the connection goes through or not.
The default setting on the ASA should be that "nat-control" is DISABLED
Here is what Cisco documentation says
Default Settings
By default, NAT control is disabled; therefore, you do not need to perform NAT on any networks unless you want to do so. If you upgraded from an earlier version of software, however, NAT control might be enabled on your system. Even with NAT control disabled, you need to perform NAT on any addresses for which you configure dynamic NAT. See the Chapter 29 "Configuring Dynamic NAT and PAT," for more information about how dynamic NAT is applied.
Source:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html#wp1043201
If your Site1 ASA doesnt have any local Internet connection and has no need to NAT IP address locally you might even be able to remove "nat-control" and remove all NAT configurations from the ASA if you wanted. Alternatively you could simply configure NAT0 for each local network of Site1 towards any other network since Site2 should be the only device doing NAT towards Internet.
Hope this helps
Please remember to mark a reply as the correct answer if it answered your question.
Naturally ask more if needed
- Jouni
06-13-2013 09:34 AM
Hi Jouni,
Really thanks for your reply ...
Can you please share me any cisco document realated that NAT0 access-list configuration can only contain
"permit ip" and if by chance we enable the nat 0 on tcp level nat 0 statment gets removed .
Is this sam function applicable for all prev ios 8.3 in cisco asa
Can you please also tell me advantage and disaadvantage of Nat - control so it will helpful me to get deep dive on it.
Slightly one addition on setup of Our Office .. --
site 3
|
Site 1 mpls Site 2
| |
Fw -------> Metro ------> Int Fw ----Internet
Sites's gets connected to other sites with MPLS wherein I think just becoz of nat-control enable on site 1 asa we need to do MPLS Nat on site 1 firewall for internal sites communication. ( Note - we only having one internet gateway which is in site 2)
If we disable the Nat-Control on site 1 then what things we need to take in consideration.. ? If we enable access in acl and as there is alredy mpls nat enable in current config in site 1 then is there any thing we need to add for MPLS connection
Regards
06-13-2013 10:35 AM
Hi,
A Cisco document mentions the following for example
To configure NAT exemption, enter the following command:
hostname(config)# nat (real_interface) 0 access-list acl_name [outside]
Create the extended access list using the access-list extended command (see the "Adding an Extended Access List" section). This access list can include both permit ACEs and deny ACEs. Do not specify the real and destination ports in the access list; NAT exemption does not consider the ports. NAT exemption considers the inactive and time-range keywords, but it does not support ACL with all inactive and time-range ACEs.
Source:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1043541
Its the ASA Configuration Guide for software level 8.0
The "nat-control" doesnt exist in the 8.3 and later softwares anymore, so you cant configure that there.
I personally dont use the "nat-control" as I dont want the NAT configuration to define what traffic is allowed and what is not. I simply configure those in the interface ACLs.
to my understanding if you remove "nat-control" on Site1 then nothing should really change drasticly. I mean you currently have a setting that REQUIRES NAT for traffic to pass the firewall. And the configuration you would be changing is to remove this limitation. So some traffic might be able to pass the firewall that was not allowed to pass before. Then again the traffic that is going through now according to the NAT configurations should continue to do so.
- Jouni
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide