"no-nat control" on ASA 5520

Unanswered Question
May 16th, 2008

I have Active/Standby ASA 5520. The problem, I am facing is with Natting. I don't want to use ASA for Natting.

To accomplish it, I have not used any natting rule and have run "no-nat control"command on ASA. But after that I am not able to ping WAN or reach internet from LAN.

Then I have put below commands and everything started working:

global (WAN) 1 interface

nat (LAN) 1 0.0.0.0 0.0.0.0

Can't I use ASA without natting?

Regards/Bharat

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Sat, 05/17/2008 - 02:53

to use the asa w/o NATing, one of the following conditions would have to be met:

1. Some other device NATs for you to reach the Internet

2. Each and every host in your network that needs Internet access must be assigned a publicly routable address.

if you're using the asa to separate internal networks, you could also disable NAT then depending on your policy.

Bharat Negi Sat, 05/17/2008 - 06:56

Hi

I am using Router for natting and internet is working fine if I enable natting commands (mentioned in previous post) on ASA.

But if, I remove those commands from ASA and use no nat-control, then I am not able to access internet.

Regards

Bharat

srue Sat, 05/17/2008 - 08:01

We need more information about your network to begin troubleshooting then.

We need to know about the router. Where is it in relation to the firewall? What IP's are assigned to each interface of it? Are there any ACL's blocking your internal address block?

Bharat Negi Sat, 05/17/2008 - 11:07

User <--> LAN s/w <--> ASA5520 <--> L2 switch <-->WAN Rtr <-->Internet

Above is the topology. 10.0.0.0/8 is the pool used. Attached ASA configuration (first post) contains the subnets used for each interface.

I have tried few things:

- removed NAT commands from ASA

- cleared ARP on firewall and router

Now its working. But I don't find the reason for that. Also, I am worried, if this problem would reoccur.

Regards/Bharat

vabruno Mon, 05/19/2008 - 17:36

As another poster mentioned I dont know what your external router is doing but if you are having to enable the Nat-control feature on the ASA then this means that your external router may only be NATing the IP address of your external interface on your ASA. If you do a no nat-control this means that you 10.0.0.0/8 network is being NATed to your external interface with 10.0.0.0/8 or NAT 0 to make things a bit clear, The ASA will allow all your internal IP's to traverse the ASA but gets NATed with the same IP address as the source. If you enable NAT-Control on the ASA then in order for any traffic to flow the ASA will need a NAT statement which you mentioned with using

global (ourside)1 interface

nat (inside) 1 0 0

This will NAT all your inside IP to the public IP of your ASA, if your NAT statement is setup correctly on your external facing Router so that it will nat 10.0.0.0/8 to outside interface or pool of the router then you should be able to use the no Nat-control and things should work , again not knowing your network, these are a couple things to look at.

Actions

This Discussion