Answered Question


I was reading about Nat-Control.More I read it more confusion.

It comes disabled with version 7.0 and more.

It is something;

When nat-control is enabled NAT is required for all traffic flowing across the security appliance. When nat-control is disabled NAT is optional for traffic flowing across the security appliance.


1.What would be the case if I want to my internal host to access on internet.I would be using PAT.

2. Now want my dmz to be accessed publically then ofcourse would need satic statment b/w dmz and outside ip.Also needs NAT here.

3Want to allow DMZ,Inside or inside,dmz communication would need identity NAT to best of my knowledge.

What will happen if I enable nat-control and disable one by one.

I read in one of the article:

Keep it in mind: Even with nat-control disabled, once you add a nat statement for PAT to an interface, you require NAT for all traffic on that interface and it appears It appears that nat behaves on a per-interface basis, not a per-flow basis.

Also would like to know what happened to fixup command in code 7.x and above.Is it now inspect or something else.



I have this problem too.
0 votes
Correct Answer by vikram_anumukonda about 7 years 7 months ago

my answer is "no".

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
vikram_anumukonda Mon, 03/02/2009 - 22:06

fixup is replaced with inspect .

with nat-control enabled , traffic from high to low will not be allowed to go thru the firewall, you can bypass nat for some of your traffic flows (from high to low ) using nat 0 ( nat exemption)

if you enable nat-control and remove your nat config one by one - I believe the existing traffic flows will continue to work until they timeout where as new connections from high to low will not happen (

I have never tried this though)

Hope this helps.

Hi Vikram,

If this is the case then how was previous code before 7.x were working.Traffic from High to low will be blocked.Was there some option in earlier to diasble this too or not?

So is it recommended to keep nat control disabled in majority of cases?

Under what conditions/situations nat-control is to be enabled?



vikram_anumukonda Tue, 03/03/2009 - 00:04

If you do not want any of your internal/secure hosts to go out without nat, enabling nat-control is an easy way of doing it.

It's entirely upto the customer whether to use nat or not and if you have are using RFC1918 networks on your internal network , you have no other go but to use NAT.

a example from 6.3 command reference guide for bypassing nat

access-list all-ip-packet permit ip 0 0 0 0

nat (inside) 0 access-list all-ip-packet

Vikram..As mostly at customers place we use rfc 1918 address,so nat-control or no nat-control doesn't going to make difference as I need to nat/pat in both the situations.

nat(inside) 101

Global(outside) 101 interface

is to be required in both the cases.

Have you ever seen any case where nat control was enabled.i.e nat rules to be matched.



sdoremus33 Tue, 03/03/2009 - 13:54

Also a couple other points in regards to Nat_id "Nat control commands"

Whether or not to use NAT control

Depending on your traffic flow for example for Policy Based NAT if you use Nat_id the traffic flow is only in the outbound direction, also with NAT exemption or identity Nat if you use Identkty Nat then only in outbound direction, so if you aere not worried about state infor passing, then NATR-ID COMMANDS CAN BE USED

sdoremus33 Tue, 03/03/2009 - 13:56

Also would like to know what happened to fixup command in code 7.x and above.Is it now inspect or something else.

For ASA devices it is The proxy firewalling elemenets on a pix are the "fixup" commands. On the ASA they are the "inspect" commands.


This Discussion