NAT on the ASA- Help!

Unanswered Question
Sep 22nd, 2008
User Badges:

I'm pulling the configs off our old 515 firewalls and putting them on our new ASA 5500's. On the 515, we were NATng everything inside to a public address tied to the outside interface (not the interface address itself). Here is the config for the inside NAT

nat (inside) 1

global (outside) 1 x.x.x.x

I also have similiar NAT statements on other interfaces on the PIX, all which are similiar as my inside NAT config.

My question is, do I need to enable nat-control on the ASAs to make it behave the same way as my 515s? I'm a little confused as to whether its needed or not?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
guibarati Mon, 09/22/2008 - 06:11
User Badges:
  • Bronze, 100 points or more

nat-control will make it mandatory for all traffic goint through the ASA to be NATed, with "no nat-control" you can have traffic with NAT 0 (no nat) goint through the firewall. If you use nat 0 you need "no nat-control" if you dont use nat 0 it makes no difference having or not nat control.

This is the information another member of NETPRO told me in an old post.

veljko.tasic Mon, 09/22/2008 - 23:22
User Badges:

If you want to change device and to keep current configuration, best way to do this is to use new tool Pix-to-Asa migration tool.

It will change your configuration to adopt it to asa.


This Discussion