How to make the ASA route traffic without NAT

Unanswered Question
Oct 5th, 2007

The ASA and PIX ver 7 up is supposed to work in a no nat-control mode (by default). Several discussion in the forum focus on the NAT and STATIC commands. What I really would like is an explanation on how to configure tha ASA to route traffic between interfaces without the use of STATIC commands. I have tried to do this with no luck.

If there is any one ho has knowledge an perhaps a working example of configuration for the ASA to do this I would be evry happy.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
gfullage Sun, 10/07/2007 - 18:45

If you issue the command "no nat-control" (which is actually the default on a new ASA, but not on an upgraded PIX), then the firewall will route outbound packets (from inside->outside) without any additional commands, just like a router. Inbound packets (from outside->inside) only requires an access-list, no static.

If you have "no nat-control" AND static/nat statements then the static/nat statements will apply to matching traffic, and all other traffic will flow without being NAT'd.

If you have "nat-control" AND static/nat statements then the static/nat statements will apply to matching traffic, and all other traffic will BE DROPPED.

jim.larsson Sun, 10/07/2007 - 23:09

Hi, tanks for your aswer gfullage.

I have issued the command show run nat-control, and gets the answer no nat-control. So I guess this is correct. With inside and outside I assume you mean from a interface with higer security-level to another interface with a lower security-level?

Here is a part of the configuration. What I am trying to do is getting traffic to flow from interface ADM to interface RES without any static commands. behind the ADM interface there is a number of subnets of net


interface GigabitEthernet0/0

nameif ADM

security-level 100

ip address


interface GigabitEthernet0/1

nameif RES

security-level 50

ip address


interface Management0/0

description LAN/STATE Failover Interface

speed 100

duplex full


interface GigabitEthernet1/0

media-type sfp

no nameif

no security-level

no ip address


interface GigabitEthernet1/0.1

vlan 2

nameif PUB

security-level 0

ip address


interface GigabitEthernet1/0.2

description DMZ1

vlan 3

nameif DMZ1

security-level 10

ip address


access-list PUB_access_in extended permit ip any any

access-list ADM_access_in extended permit ip any any

access-list DMZ1_access_in extended permit ip any any

access-list RES_access_in extended permit ip any any

global (PUB) 10 interface

global (DMZ2) 10 interface

nat (ADM) 10

static (ADM,DMZ1) netmask

static (DMZ1,ADM) netmask

static (DMZ1,PUB) netmask

access-group ADM_access_in in interface ADM

access-group RES_access_in in interface RES

access-group PUB_access_in in interface PUB

access-group DMZ1_access_in in interface DMZ1


As soon as I add the command:

static (ADM,RES) netmask

It works and I can get traffic from ADM to RES. If i remove the line it stops.

Is it the other static commands that mess things up?

gfullage Mon, 10/08/2007 - 18:42

Hmmm, it's probably this:

nat (ADM) 10

This does match the incoming traffic, but then there's no matching global for the RES interface, so it's probably being dropped. what does the syslog show when you try and get traffic through, you'll probably see a bunch of 305006 syslog messages (if my assumption is correct).

I would have thought with no nat-control it wouldn't have worried about the nat statement, but maybe because it does match then it assumes you do want to nat it to something. AS I said, even with "no nat-control", we will still nat packets if they match on a static/nat, and this seems to be what's happening here. When you then add the static command that takes precedence over the nat command and is used correctly.


This Discussion