NAT on 8.0 (4)

Unanswered Question
Oct 5th, 2008
User Badges:

i dont see any nat config on the firewall but the inside network can access the DMZ with only using ACL.

inside :


with ACL allowing to access from the inside without NAT.

Is this suppose to work without NAT at all? i mean i dont see "no nat" config also.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
satish_zanjurne Sun, 10/05/2008 - 21:14
User Badges:
  • Silver, 250 points or more

Firewall must be in Transparent mode.

In transparent mode there is no need of NAT.

1.Use "show firewall" command, see the output, whether firewall is in transparent mode.

2.To return the firewall to routed mode, use "no firewall transparent" command in global config mode.

3.IN transparent mode using extended access-control lists you can allow L3 traffic.

HTH...rate if helpful..

ariesc_33 Sun, 10/05/2008 - 21:50
User Badges:

its in router mode...

is the nat control disabled by default with this version?

abinjola Sun, 10/05/2008 - 22:50
User Badges:
  • Cisco Employee,

If no nat-control is specified then you do not require NATTing (NAT TRANSLATIONS ARE BYPASSED)

Key Points for No Nat-Control:-

--All traffic leaving a PIX from a higher to lower security interface moves freely

--All traffic entering a PIX from a lower to higher security only requires an ACCESS-LIST

--NAT/GLOBAL pairs are needed only for traffic requiring address translation

For new configurations NAT control is disabled by default, following configuration migration/upgrades NAT-CONTROL is enabled so previous NAT behavior is maintained.

Do Rate If Helps !

ariesc_33 Mon, 10/06/2008 - 00:04
User Badges:

thanks for the replies.

but as i said, "no nat control" wasnt specified. is it enabled by default on this version?when i show run, it doesnt show.

i have other version of asa and NAT is in use. when i show run on that box, "nat-control" shows.

abinjola Mon, 10/06/2008 - 00:09
User Badges:
  • Cisco Employee,

By default, NAT control is disabled, so you do not need to perform NAT on any networks unless you choose to perform NAT.

Since its default behaviour, it will no show up in the sh run

abinjola Mon, 10/06/2008 - 01:56
User Badges:
  • Cisco Employee,

NAT Control:-

The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet "CONTINUES". The EXCEPTION is when you enable NAT control using the nat-control command. NAT control requires that packets traversing from a higher security interface (inside) to a lower security interface (outside) match a NAT rule, or else processing for the packet stops. NAT is not required between same security level interfaces even if you enable NAT control. You can optionally configure NAT if desired.


This Discussion