How to make the ASA route traffic without NAT

jim.larsson · ‎10-05-2007

The ASA and PIX ver 7 up is supposed to work in a no nat-control mode (by default). Several discussion in the forum focus on the NAT and STATIC commands. What I really would like is an explanation on how to configure tha ASA to route traffic between interfaces without the use of STATIC commands. I have tried to do this with no luck.

If there is any one ho has knowledge an perhaps a working example of configuration for the ASA to do this I would be evry happy.

JORGE RODRIGUEZ · ‎10-05-2007

Jim, this document explains exactly what you are looking for NAT comminication between interfaces with NAT Exemption with examples, please go over this doc.

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/cfgnat.html#wp1002608

Rgds

Jorge

Jorge Rodriguez

gfullage · ‎10-07-2007

If you issue the command "no nat-control" (which is actually the default on a new ASA, but not on an upgraded PIX), then the firewall will route outbound packets (from inside->outside) without any additional commands, just like a router. Inbound packets (from outside->inside) only requires an access-list, no static.

If you have "no nat-control" AND static/nat statements then the static/nat statements will apply to matching traffic, and all other traffic will flow without being NAT'd.

If you have "nat-control" AND static/nat statements then the static/nat statements will apply to matching traffic, and all other traffic will BE DROPPED.

jim.larsson · ‎10-07-2007

Hi, tanks for your aswer gfullage.

I have issued the command show run nat-control, and gets the answer no nat-control. So I guess this is correct. With inside and outside I assume you mean from a interface with higer security-level to another interface with a lower security-level?

Here is a part of the configuration. What I am trying to do is getting traffic to flow from interface ADM to interface RES without any static commands. behind the ADM interface there is a number of subnets of net 10.0.0.0.

!

interface GigabitEthernet0/0

nameif ADM

security-level 100

ip address 10.1.1.1 255.255.0.0

!

interface GigabitEthernet0/1

nameif RES

security-level 50

ip address 10.127.0.1 255.255.255.0

!

interface Management0/0

description LAN/STATE Failover Interface

speed 100

duplex full

!

interface GigabitEthernet1/0

media-type sfp

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/0.1

vlan 2

nameif PUB

security-level 0

ip address 197.46.138.4 255.255.255.0

!

interface GigabitEthernet1/0.2

description DMZ1

vlan 3

nameif DMZ1

security-level 10

ip address 10.3.25.1 255.255.255.0

!

access-list PUB_access_in extended permit ip any any

access-list ADM_access_in extended permit ip any any

access-list DMZ1_access_in extended permit ip any any

access-list RES_access_in extended permit ip any any

global (PUB) 10 interface

global (DMZ2) 10 interface

nat (ADM) 10 10.0.0.0 255.0.0.0

static (ADM,DMZ1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (DMZ1,ADM) 10.3.25.0 10.3.25.0 netmask 255.255.255.0

static (DMZ1,PUB) 194.6.236.17 10.3.25.25 netmask 255.255.255.255

access-group ADM_access_in in interface ADM

access-group RES_access_in in interface RES

access-group PUB_access_in in interface PUB

access-group DMZ1_access_in in interface DMZ1

!

As soon as I add the command:

static (ADM,RES) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

It works and I can get traffic from ADM to RES. If i remove the line it stops.

Is it the other static commands that mess things up?

gfullage · ‎10-08-2007

Hmmm, it's probably this:

nat (ADM) 10 10.0.0.0 255.0.0.0

This does match the incoming traffic, but then there's no matching global for the RES interface, so it's probably being dropped. what does the syslog show when you try and get traffic through, you'll probably see a bunch of 305006 syslog messages (if my assumption is correct).

I would have thought with no nat-control it wouldn't have worried about the nat statement, but maybe because it does match then it assumes you do want to nat it to something. AS I said, even with "no nat-control", we will still nat packets if they match on a static/nat, and this seems to be what's happening here. When you then add the static command that takes precedence over the nat command and is used correctly.