Disabling NAT 0 on ASA 5540?

Unanswered Question
Dec 31st, 2007
User Badges:

I am using an ASA-5540 strickly for IPsec VPN lan-2-lan tunnels and will never be NATing outbound as we have a public Class-B address space.

Since I'm never going to be NATing, can I disable the nat 0 and no-nat funcationality completely so that the ASDM doesn't always supply a no nat line for every ACL entry? I'll have 100s of host and network objects and don't want to no-nat any of them.

If so, how do I disable that?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Tue, 01/01/2008 - 18:46
User Badges:
  • Green, 3000 points or more

I believe you can accomplish this through the use of no nat-control command in ASA, I personaly have not faced this scenario but have read about it , look into the nat-control disabling/enabling command and its purpose, I think it should provide you with what you are looking for.





ahsankhan Wed, 01/02/2008 - 14:15
User Badges:


Looks like you simply need to disable NAT on the firewall, you should have some lines like below.

nat (inside) 0 access-list natzero

nat (inside) 1

nat (DMZ) 0 access-list natzero

nat (DMZ) 1

you can remove access-list part and this will remove natzero config, if you need to remove NAT all together then you may want to remove nat statements all together. however you need to look for traffic between different segments as removing NAT from firewall completely is not a good idea.

jkeeffe Wed, 01/02/2008 - 19:20
User Badges:

Would it be a good idea to remove NAT completely if we don't ever use private address spaces - even in a DMZ scenario?

srue Thu, 01/03/2008 - 10:17
User Badges:
  • Blue, 1500 points or more

like someone already said, the 'no nat-control' command is what you're looking for. If you need to nat anything at a later time, you can still do so. the 'no nat-control' command doesn't mean you can't nat, only that you don't have to nat.


This Discussion