Solved: Turning off Nat-Control

JohnTylerPearce · ‎03-14-2012

Hey, I have an older ASA which is running Nat-Control. I'm assuming I can turn this feature off without causing any

network related outages. Since as far as I know, all nat-control does, is require a NAT to be configured between

different interfaces on the ASA? I was hoping if I disable this feature, that the NAT between interfaces requirement will not

be an issue anymore, as far as communication between different interfaces.

Dan-Ciprian Cicioiu · ‎03-14-2012

Hi John,

Nat-control requires source NAT for the flows initiated from a higher security-level ( ex. 100/inside ) to a lower security-level (ex 0/outside) . Disabling this will allow you to forward the flows without this requirement. The NAT configuration that is already in place will not be afftected by this.

Regards

Dan

View solution in original post

Dan-Ciprian Cicioiu · ‎03-14-2012

Hi John,

Nat-control requires source NAT for the flows initiated from a higher security-level ( ex. 100/inside ) to a lower security-level (ex 0/outside) . Disabling this will allow you to forward the flows without this requirement. The NAT configuration that is already in place will not be afftected by this.

Regards

Dan

Julio Carvajal · ‎03-14-2012

Hello John,

Great answer by Dan, just to add something else, everything will work the only thing that changes as you point it is that you DO NOT need to have a nat rule to allow traffic between different interfaces but you still NEED the ACLs for traffic flowing from lower to higher security levels,

Have a good one

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

JohnTylerPearce · ‎03-15-2012

I did find something interesting, and I believe I have actually read this in a thread on some random side before.

After I turned off nat-control (which happend successfully), When I ran packet-tracer, it was giving me an error,

saying that there was no global NAT for the private network to go to the less secure network so to speak. So

I set up Identity NAT between who hosts in each network and the packet-tracer ran successfully without any

problems. I don't know if this is a guy, or a software version issue.

Dan-Ciprian Cicioiu · ‎03-15-2012

Hi John,

I do not know if packet-tracer takes into account nat-control status when checking the flow permision . My impression is that it does not check it. I have never used packet-tracer with nat-control disabled but I can run a simple test.

Regards

Dan

Dan-Ciprian Cicioiu · ‎03-15-2012

Hi,

(.1) R1 -------10.10.1/24--------- FW ----------10.10.3/24-----------R3 (.1)

===== R1

R1#s ip inter brie | e una

Interface IP-Address OK? Method Status Protocol

FastEthernet1/0 10.10.1.1 YES manual up up

R1#s ip ro | b Gat

Gateway of last resort is 10.10.1.100 to network 0.0.0.0

10.0.0.0/24 is subnetted, 1 subnets

C 10.10.1.0 is directly connected, FastEthernet1/0

S* 0.0.0.0/0 [1/0] via 10.10.1.100

R1#

====== R3

R3#s ip inter brie | e una

Interface IP-Address OK? Method Status Protocol

FastEthernet1/0 10.10.3.1 YES manual up up

R3#s ip ro | b Gat

Gateway of last resort is 10.10.3.100 to network 0.0.0.0

10.0.0.0/24 is subnetted, 1 subnets

C 10.10.3.0 is directly connected, FastEthernet1/0

S* 0.0.0.0/0 [1/0] via 10.10.3.100

R3#

===== FW

pixfirewall# show ip add

System IP Addresses:

Interface Name IP address Subnet mask Method

Ethernet0 outside 10.10.1.100 255.255.255.0 manual

Ethernet1 inside 10.10.3.100 255.255.255.0 manual

pixfirewall# sh run access-g

access-group out in interface outside

pixfirewall# sh run access-l

access-list out extended permit ip any any

-====== TEST 1

R1#ping 10.10.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 116/215/376 ms

R1#telnet 10.10.3.1

Trying 10.10.3.1 ... Open

R3#

====== TEST 2

pixfirewall# packet-tracer input outside icmp 10.10.1.1 0 0 10.10.3.1

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.10.3.0 255.255.255.0 inside

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group out in interface outside

access-list out extended permit ip any any

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 46, packet dispatched to next module

Phase: 9

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 10.10.3.1 using egress ifc inside

adjacency Active

next-hop mac address ca02.1838.001c hits 41

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

======= TEST 3

pixfirewall# conf t

pixfirewall(config)#

pixfirewall(config)# nat-control

pixfirewall(config)#

pixfirewall#packet-tracer input outside icmp 10.10.1.1 0 0 10.10.3.1

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.10.3.0 255.255.255.0 inside

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group out in interface outside

access-list out extended permit ip any any

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 0 0.0.0.0 0.0.0.0

nat-control

match ip inside any outside any

no translation group, implicit deny

policy_hits = 0

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

So packet-tracer consider also nat-control status.

Regards

Dan