cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
741
Views
0
Helpful
4
Replies

No-nat on Asa

oybsteria
Level 1
Level 1

Is it possible to turn off nat on some interfaces and use nat rules towards internet? Or do i have to use nat on all other interfaces when i enable nat on one?

4 Replies 4

handsy
Level 1
Level 1

NAT is interface-specific, not global.

BrinksArgentina
Level 1
Level 1

You can create a NAT exemption to disable NAT. This uses an access-list and a nat command.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html

access-list noNATinside extended permit ip 192.168.0.0 255.255.252.0 10.0.0.0 255.0.0.0

nat (inside) 0 access-list noNATinside

When nat-control is enabled a nat rule is needed for traffic between interfaces with different security levels.

I believe you can disable nat-control (no nat-control) and still use nat translations on the interfaces that you need to: inside to outside for example with a nat and global rule. But nothing on dmz to inside/outside.

I use nat excemption with acl in every interface because is less complex to understand and troubleshot.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: