Pros and cons of NO-NAT?

Unanswered Question
Mar 30th, 2009

I am trying to determine if using no-nat between the inside and the DMZ is bad in any way. I was told that running no-nat between private interface does not cause any security risks, is this true? Am I losing any security functionality if I choose to bypass NAT? Below is my config.

Thanks in advance!

interface Ethernet0/0

nameif outside

security-level 0

ip address 200.123.*.*

interface Ethernet0/1

nameif inside

security-level 100

ip address

interface Ethernet0/2

nameif DMZ

security-level 50

ip address

access-list nonat extended permit ip

nat (inside) 0 access-list nonat

global (outside) 1 200.123.*.*

nat (inside) 1

nat (inside) 1

nat (inside) 1

nat (inside) 1

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
htarra Fri, 04/03/2009 - 08:39

If you want to remove or disable the nat-control statement in the PIX/ASA, you need to remove all NAT statements from the security appliance. In general, you need to remove the NAT before you turn off NAT control. You have to reconfigure the NAT statement in PIX/ASA to work as expected. The nat-control command on the PIX/ASA specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global or a static statement) for that traffic to pass through the firewall. The nat-control command ensures that the translation behavior is the same as PIX Firewall versions earlier than 7.0.

anowell Fri, 04/03/2009 - 08:53

Thanks for the replay!

My question more centered around whether or not you loose any security features of the ASA if you choose to run "no-nat" between the inside and DMZ.

Thanks again!

srue Fri, 04/03/2009 - 09:31

I'm not sure why the other poster here thinks you can't have nat statements if you disable nat-control. That's simply not true.

For the original poster, from your partial config, I can't tell if you have nat-control enabled or not. Whether or not this is enabled will dictate if there is any security between those interfaces w/ or w/o nat.

Since the DMZ has a lower security level though, with or without NAT you will need ACL's to originate traffic from the DMZ to the inside. If you want to control traffic from the inside to the dmz, you might consider applying an acl inbound on the inside interface, or outbound on the dmz interface.


This Discussion