Solved: My ASA 5520 route without setting up an exepmtion nat

BrinksArgentina · ‎01-10-2008

I issue a clear configure all, setup the interfaces and with this minimal configuration, a PC conected to the DMZ interface, can contact the router on the outside.

The ASA routes ip and (this is a lab) cause the router has the ASA as defaut gateway, the packets return to DMZ host.

But there is no Nat Exemption in the configuration!! How can it work?

ASA5520-K8, Version 8.0(2)

Thanks

cisco24x7 · ‎01-10-2008

you need to read the documentation more

carefully. Starting with Pix 7.x and higher,

"no nat-control" is the default on pix

and ASA. Basically, the pix IS a router.

However, the basic principle still applies.

In other words, you still need ACL for low

to get to high.

CCIE Security

View solution in original post

cisco24x7 · ‎01-10-2008

you need to read the documentation more

carefully. Starting with Pix 7.x and higher,

"no nat-control" is the default on pix

and ASA. Basically, the pix IS a router.

However, the basic principle still applies.

In other words, you still need ACL for low

to get to high.

CCIE Security

BrinksArgentina · ‎01-16-2008

I read NAT chapter again and I found that. The ASA routes packets if no NAT roule is set for the interface.

"Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule, as shown"

Cisco Security Appliance Command Line

Configuration Guide--

Thanks!