Re: static and nat control

jvardhan29 · ‎12-30-2010

hi experts,

i think that the nat-control doesnot effect the static and nat-control is only for the nat commands ? right ? if there is a below scenario will static nat be required or not for the inbound traffic ? asa contains the inspect icmp as well , Router 2 has DG as Outside ASA

User PC -----Router 1-----[INSIDE-100]ASA [OUTSIDE-0]----Router 2

If i ping from Router 2 TO Router 1 will static be required or not ?

If Router 1 IS 172.16.10.10 , i think that we require following static and an ACL on the ASA Outside interface

static (inside,outside) 172.16.10.10 172.16.10.10

can there be any scenario where it works without any static ? I was trying in my lab and found that it works without static as well .

Dan-Ciprian Cicioiu · ‎12-30-2010

Hi ,

nat-control requires you to have a nat statement for any flow going from a lower security level (inside) , to a higher security level (outside)

You can see if nat-control is enabled : sh run nat-control .

If is disabled ( no nat-control ) you will be able to send packets from inside to outside without nat.

Dan

Jennifer Halim · ‎12-30-2010

Yes, you are right. "nat-control" is only for dynamic NAT statement, so for traffic from low to high security level, you are still required to configure static statement.

If you are pinging from Router 2 to Router 1, static NAT statement is required.

You can either configure static NAT statement or NAT exemption (NAT 0 with ACL).