no nat-control

smesiatowsky · ‎04-03-2008

we currently have several offices internationally. Each Office is considered an untrusted site, so we have firewalls between offices. Most of these firewalls started with Pix 6.3 but have been upgraded to 7.2. Many of the rules have been put in place to allow clients in offices to connect with specific servers in another office. Since These firewalls started on 6.3 code, we have NAT in place with an identity nat for all traffic going over the firewall. We do not actually NAT to different IP's (all of this is on an internal network with Private IP's). In order to access the servers, we have static nat commands (and in some cases, static nats for entire subnets). Now we need the ability to allow all clients to talk with all other clients on specific ports for a real time communications program.

I am assuming the only two options we have are adding static NATS for all subnets in our networks, or issuing the "no nat-control" and disabling nat all together. Since we do not actually NAT to different IP's (all of this is on an internal network with Private IP's), will we break anything by disabling NAT? I just hate to be the one pulling the trigger. Thank you for your help.

sundar.palaniappan · ‎04-03-2008

If all you are currently doing is static identity NAT then I can't see any difference that no nat-control would make. If no translation is required why configure a long list of statics when no nat-control would accomplish the same outcome. Configure the access list to open up ports for all your application(s) and control the access there.

HTH

Sundar