Allow traffic inter interface without NAT, still need "no nat"

Unanswered Question
Jun 27th, 2008

I have implemented a few ASA firewall over the time and I have a question that I never solved.

There is an option on ASDM in the NAT screen that says " allow traffic between interfaces without NAT" or something like this. This option insert the "no nat-control" in the script and it is sopposed to allow traffic between interfaces without nat.

Even so every time I install a new ASA appliance and try to communicate Inside network with DMZ network I need an Static (inside,DMZ) or a "no nat" if I dont do that I see the error message:

No translation group foud for src x.x.x.x dst y.y.y.y

Does anybody knows why does it happens and if it's right to always need to use the no nat or static to communicate the two networks?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smahbub Thu, 07/03/2008 - 10:34

If nat control is enabled then it is mandatory to implement NAT in the network using any type of NAT.If the Nat control is disabled then "NO NAT" can be used so that no address translation occurs.

For more info on "NO NAT" refer the url below:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00800942fe.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00800942ff.shtml

guibarati Thu, 05/07/2009 - 10:19

Well, I know there have being a long time, but I finaly get the point.

Actually the ASA can route between interfaces without any nat or no nat, and it works well.

The problem occors when you have for example:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Then when you try to communicate an inside host with an DMZ host you get the message (no translation group found.)

And it happen because you have an nat for all inside hosts but none glogal (with index 1 in this case) for DMZ.

If you dont have the originating host included in any "nat" you dont need a global or nat0 either.

If you want an inside host to be natted to outside and not natted to dmz you will need a nat0 anyway.

Actions

This Discussion