nat-control

Unanswered Question
Jun 4th, 2007

Hi all

Was wondering if anyone could provide me with or link me to a good explanation of nat-control. I remember a course instructor telling me with it disabled, the ASA acts basically like a router. Is this really the case?

I'd like to avoid all the complex nat configuration issues involved with configuring multiple DMZ's and I was hoping with nat-control disabled this would be the case.

I still require inside to outside nat translations and certain hosts on my public dmz to translate when they access the internet for certain services as well as static nat translations for internet facing servers.

Then I have my private DMZ that needs to talk to the public dmz and vica versa which I would prefer not to have to configure nat for.

Am I doomed to nat hell or will disabling nat-control be my saviour?

Thanking all in advance.

P.S, I'm waiting on the arrival of my new ASA 5520 to replace my Pix 515e v6.3 so I havn't had a chance to play with it yet.

H.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cpembleton Mon, 06/04/2007 - 04:41

With nat-control turned on traffic going from and inside network to outside network has to meet a nat statement or the packet is dropped. With Nat-control turned off if a packet doesn't match a nat rule it is left with the original address and sent on it's marry way.

It is more secure to use nat-control as it only allows known IP's to traverse the firewall.

Setting up Nat from one dmz to another is easy to do. Just use the subnets and it's 1 statement.

static (dmz1, dmz2) 192.168.2.0 192.168.1.0 netmask 255.255.255.0

Here is the NAT doc for 7.2.

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a008083aa67.html#wp1002608

Thanks,

Chad

Please rate if this helps.

Actions

This Discussion