Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1361
Views
0
Helpful
6
Replies

Why CISCO ASA does NATing by default and not ROUTing ?

Go to solution
Peter Nemec
Level 1
Level 1

‎08-16-2011 08:29 AM - edited ‎03-11-2019 02:12 PM

Hello,

my question may sound stupid, but please explain to me the following behavior.

CISCO ASA 5505

Interfaces:

OUTSIDE - 194.50.90.221   255.255.255.0 / security level 0

DMZ - 192.168.12.254   255.255.255.0 / security level 25

INSIDE - 192.168.0.6     255.255.255.0 / security level 50

Now, if I want to ping from the DMZ to INSIDE, I get an error message "no translation group found for icmp src DMZ: ...... dst: INSIDE...."

I fixed is by adding "NAT 0" onto the INSIDE interface so that packets originating from "INSIDE" that are destined for "DMZ" do not get NAT'd.

Now my question is, becasue these are all directly connected networks, how come the firewall does not route the packets, but tries to NAT them instead... ???

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
varrao
Level 10
Level 10
In response to Peter Nemec

‎08-16-2011 10:45 AM

Hi Peter,

Kindly go through the doc, if you have qany queries, feel free to drop in:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html

-Varun

Thanks,
Varun Rao

View solution in original post

0 Helpful
6 Replies 6

Go to solution
varrao
Level 10
Level 10

‎08-16-2011 08:39 AM

Hi Peter,

You would need the nat command only if you have nat-control enabled on the ASA, if it is no nat-control, you would just need an access-list to go from your dmz to inside.

You can check this by:

show run nat-control

It will tell you whether it is enabled or not.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎08-16-2011 08:41 AM

A firewall is a security device. It's role is to separate trusted and untrusted networks. Part of that separation is controlled by the security level. You can't go from a less secure network to a more secure network without you specifically granting access (both NAT and ACL).

0 Helpful

Go to solution
Peter Nemec
Level 1
Level 1

‎08-16-2011 09:54 AM

Thanks guys, makes sense now

This was just one of the thinks I wanted to have clarified

yes it is a firewall and not a router

By the way, I am still a bit confused, because I tried to run the "show run nat-control" and it shows "no nat-control"...

Yes I previously added access-lists to allow ICMP traffic flowing from lower sec level to higher sec level, but wont work without having NAT 0 specified in INSIDE interface...

But yeah, makes sense that because this is a firewall and no router, by default, It's supposed to provide the least-permissive conditions for traffic to flow through its interfaces...

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Peter Nemec

‎08-16-2011 10:45 AM

Hi Peter,

Kindly go through the doc, if you have qany queries, feel free to drop in:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html

-Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
Peter Nemec
Level 1
Level 1
In response to varrao

‎08-17-2011 01:48 AM

Thanks all again, I have read the last article, makes sense, cheers

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Peter Nemec

‎08-17-2011 02:03 AM

Sure Peter , you can mark the thread as answered if your queries are resolved.

-Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card