10-05-2008 07:30 PM - edited 03-11-2019 06:53 AM
i dont see any nat config on the firewall but the inside network can access the DMZ with only using ACL.
inside : 192.168.1.0
dmz: 172.16.1.0
with ACL allowing to access 172.16.1.0 from the inside without NAT.
Is this suppose to work without NAT at all? i mean i dont see "no nat" config also.
Thanks
10-05-2008 09:14 PM
Firewall must be in Transparent mode.
In transparent mode there is no need of NAT.
1.Use "show firewall" command, see the output, whether firewall is in transparent mode.
2.To return the firewall to routed mode, use "no firewall transparent" command in global config mode.
3.IN transparent mode using extended access-control lists you can allow L3 traffic.
HTH...rate if helpful..
10-05-2008 09:50 PM
its in router mode...
is the nat control disabled by default with this version?
10-05-2008 10:50 PM
If no nat-control is specified then you do not require NATTing (NAT TRANSLATIONS ARE BYPASSED)
Key Points for No Nat-Control:-
--All traffic leaving a PIX from a higher to lower security interface moves freely
--All traffic entering a PIX from a lower to higher security only requires an ACCESS-LIST
--NAT/GLOBAL pairs are needed only for traffic requiring address translation
For new configurations NAT control is disabled by default, following configuration migration/upgrades NAT-CONTROL is enabled so previous NAT behavior is maintained.
Do Rate If Helps !
10-06-2008 12:04 AM
thanks for the replies.
but as i said, "no nat control" wasnt specified. is it enabled by default on this version?when i show run, it doesnt show.
i have other version of asa and NAT is in use. when i show run on that box, "nat-control" shows.
10-06-2008 12:09 AM
By default, NAT control is disabled, so you do not need to perform NAT on any networks unless you choose to perform NAT.
Since its default behaviour, it will no show up in the sh run
10-06-2008 01:46 AM
thanks a lot.
any documentation for this?
10-06-2008 01:56 AM
NAT Control:-
The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet "CONTINUES". The EXCEPTION is when you enable NAT control using the nat-control command. NAT control requires that packets traversing from a higher security interface (inside) to a lower security interface (outside) match a NAT rule, or else processing for the packet stops. NAT is not required between same security level interfaces even if you enable NAT control. You can optionally configure NAT if desired.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1737858
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide