My ASA 5520 route without setting up an exepmtion nat

Answered Question
Jan 10th, 2008
User Badges:

I issue a clear configure all, setup the interfaces and with this minimal configuration, a PC conected to the DMZ interface, can contact the router on the outside.

The ASA routes ip and (this is a lab) cause the router has the ASA as defaut gateway, the packets return to DMZ host.

But there is no Nat Exemption in the configuration!! How can it work?



ASA5520-K8, Version 8.0(2)


Thanks


Correct Answer by cisco24x7 about 9 years 2 months ago

you need to read the documentation more

carefully. Starting with Pix 7.x and higher,

"no nat-control" is the default on pix

and ASA. Basically, the pix IS a router.

However, the basic principle still applies.

In other words, you still need ACL for low

to get to high.


CCIE Security

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
cisco24x7 Thu, 01/10/2008 - 11:06
User Badges:
  • Silver, 250 points or more

you need to read the documentation more

carefully. Starting with Pix 7.x and higher,

"no nat-control" is the default on pix

and ASA. Basically, the pix IS a router.

However, the basic principle still applies.

In other words, you still need ACL for low

to get to high.


CCIE Security

BrinksArgentina Wed, 01/16/2008 - 04:59
User Badges:

I read NAT chapter again and I found that. The ASA routes packets if no NAT roule is set for the interface.


"Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule, as shown"

Cisco Security Appliance Command Line

Configuration Guide--


Thanks!

Actions

This Discussion