Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
447
Views
8
Helpful
7
Replies

'Only' NAT'd Traffic Allowed Between ASA Interfaces

fredfrillon
Level 1
Level 1

‎02-16-2015 01:21 PM - edited ‎03-11-2019 10:30 PM

I've just setup (2) ASAs. In doing so, I've run into the same problem on each one (i.e., I must configure NAT on each interface for the traffic to flow between them)

Accordingly to my literature and videos I've been through, I should not have to perform NAT for the traffic to move between the different interfaces.

Questions:

  • What have I done wrong?
  • What do I need to do to have this run as I expected it would (*without NAT)? While it appears harmless to have it setup this way, it just doesn't look 'clean' to me.

Notes about my configurations:

  • Same security level traffic is permitted
  • All interfaces have their security levels set to 100
  • I've reset the ACLs to allow all traffic as well (*this is a lab)
  • All tcp-udp traffic is inspected by default on ASAs

 

Many thanks.

Fred

 

Labels:
0 Helpful
7 Replies 7

David paull
Level 1
Level 1

‎02-16-2015 03:44 PM

NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).

Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

BIKASH KUMAR SHAW
Level 1
Level 1
In response to David paull

‎02-16-2015 08:50 PM

Hi fredfrillon, Can you Please provide a diagram and what you want to achieve. Regards Bikash

fredfrillon
Level 1
Level 1
In response to David paull

‎02-17-2015 07:22 AM

NAT-Control: NA, deprecated.

Without Nat-Control: As I mentioned previously, I must use NAT, or the traffic will not flow between interfaces. This is my problem. It doesn't make sense that I should need to use NAT for traffic to flow between the different interfaces.

Notes about my configurations:

  • Same security level traffic is permitted
  • All interfaces have their security levels set to 100
  • I've reset the ACLs to allow all traffic as well (*this is a lab)
  • All tcp-udp traffic is inspected by default on ASAs

...

Questions:

  • What have I done wrong?
  • What do I need to do to have this run as I expected it would (*without NAT)? While it appears harmless to have it setup this way, it just doesn't look 'clean' to me.

 

 

David paull
Level 1
Level 1
In response to fredfrillon

‎02-17-2015 04:01 PM

Ok so how about provide some information for someone to look over instead of saying you set up a device and it's not working how you expect it to.

 

Do you really think that's how troubleshooting works?

Andre Neethling
Level 4
Level 4

‎02-17-2015 01:14 AM

Hi Fred. Which ASA platform and software versions are you running?

fredfrillon
Level 1
Level 1
In response to Andre Neethling

‎02-17-2015 07:14 AM

ASA 5520s

Ver 8.4(2)

Andre Neethling
Level 4
Level 4
In response to fredfrillon

‎02-17-2015 07:42 AM

 

Hi Fred. Are you using the ASA as a default gateway for your clients? Can you post your config?

 

 

 

 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card