No NAT - Cannot see the outside (ASA 7.x)

Unanswered Question
Feb 20th, 2008

Used the ADSM to create a startup config.

Since we are not using NAT do I have to create an route from the Outside interface to the Inside interface.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Wed, 02/20/2008 - 07:36

What are your security-levels set too? If they are different, you will still need NAT.

nat (inside,outside) netmask

If they are the same, try

same-security-traffic permit inter-interface


paulkalmes Wed, 02/20/2008 - 07:45

Thanks! I will give a look.

Outside is Sec Lev 0 and Inside is Sec Lev 100

paulkalmes Wed, 02/20/2008 - 07:59

i have the following commands:

static (Inside,Outside) host1 host1 netmask


static (Inside,Outside) hostn hostn netmask

I saw a note about "no nat-control", I know I don't have it in the config.

Collin Clark Wed, 02/20/2008 - 08:11

I'm new to NAT-Control, but it sounds like it would work since you have public addresses on the inside. Let us know how it works if you choose to use it.

PIX 7.0 introduces the nat-control command. You can use the nat-control command in configuration mode in order to specify if NAT is required for outside communications. With NAT control enabled, configuration of NAT rules is required in order to allow outbound traffic, as is the case with previous versions of PIX software. If NAT control is disabled (no nat-control), inside hosts can communicate with outside networks without the configuration of a NAT rule. However, if you have inside hosts that do not have public addresses, you still need to configure NAT for those hosts.

cisco24x7 Wed, 02/20/2008 - 07:50

In version 6.x code, you will need this:

static (i,o) inside_net inside_net netmask /x

In Pix version 7.x code, the default is

"no nat-control". In other words, Pix will

route traffic just like router out of the


However, ACL is still needed to go from low

to high.

CCIE security

paulkalmes Wed, 02/20/2008 - 07:53

I have read this. It seems to assume that I am using NAT to hide private IP addresses.

I am trying to pass Public IP to Public IP traffic.

cisco24x7 Wed, 02/20/2008 - 08:24

Yes, the pix, by default, will do that for you

due to the default, no nat-control, if that's

what you're asking.

paulkalmes Wed, 02/20/2008 - 10:08

Okay. Now this is getting good. I telneted to the ASA. conf t'ed the "no nat-control". Then I sho run and no "no nat-control" entry. Is it me or something very simple is being made very hard? There are static (inside,outside) commands from before. Should those be deleted?

paulkalmes Wed, 02/20/2008 - 10:29

Okay. Now this is getting good. I telneted to the ASA. conf t'ed the "no nat-control". Then I sho run and no "no nat-control" entry. Is it me or something very simple is being made very hard? There are static (inside,outside) commands from before. Should those be deleted?

Collin Clark Wed, 02/20/2008 - 10:43

From Command Reference:

NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address.

Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface with NAT control enabled, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule.

Similarly, if you enable outside dynamic NAT or PAT with NAT control, then all outside traffic must match a NAT rule when it accesses an inside interface.

Static NAT with NAT control does not cause these restrictions.

By default, NAT control is disabled, so you do not need to perform NAT on any networks unless you choose to perform NAT.

If you want the added security of NAT control but do not want to translate inside addresses in some cases, you can apply a NAT exemption (nat 0 access-list) or identity NAT (nat 0 or static) rule on those addresses.

Note: If you want to remove or disable the nat-control statement in the PIX/ASA, you need to remove all NAT statements from the security appliance. In general, you need to remove the NAT before you turn off nat-control. You have to reconfigure the NAT statement in PIX/ASA to work as expected.

cisco24x7 Wed, 02/20/2008 - 10:58

"Then I sho run and no "no nat-control" entry."

Yes, that is the default of the Pix. "no

nat-control" is the default.

if you just want to use the Pix as a routing

device, REMOVE ALL of your static commands,

NAT and global and use "no nat-control". That

will turn your pix into a router.

CCIE Security.

paulkalmes Wed, 02/20/2008 - 19:52

Thanks cisco24x7,

I will report back on the what I find tomorrow.

paulkalmes Wed, 02/20/2008 - 19:51

Thanks CEClark!

I think I got fuddled up with the ADSM. I jumped right into it when I should have started with the CLI. I will make sure to clear out my NAT statements and report back.

paulkalmes Thu, 02/21/2008 - 19:04

After pulling out the NAT, Static, etc I now have traffic flowing.

Now I need to see if there are things I can do to improve the outbound performance.

There looks like there is a bit of an issue with the colo's handoff to our rack.


This Discussion