nat-control

Answered Question
Aug 28th, 2010

Hi All,

Can someone explain me what is the use of command nat-control and no nat-controm on ASA. As I am newbie to ASA.

I tried to search a lot on internet but I didn't simple and explainative answer

Please can anyone help me out

Thanks

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 3 months ago

Hello,

That depends upon your requirement. You could hide your internal clients

behind a DMZ address by using NAT (if you want it to be more secure) or you

can certainly use NAT exemption. One drawback of NAT exemption (access-list

based nat 0 configuration) is that it will allow bi-directional connection.

So, anybody from DMZ can open connections to your internal network. Dynamic

PAT on the DMZ interface will ensure that nobody is allowed to open an

unauthorized connection from DMZ to inside.

In the reverse path, if you would like, you can force all your internal

clients to browse that server using its public IP as well. If you have an

internal DNS server that resolves all DNS queries for your domain, you have

the freedom of setting the A record for your website and set either public

IP or private IP based on your requirements. If you decide that you want to

use public IP, then you will need to use Static NAT. If you want to use

private IP, then you do not need to do anything. But if you want to use both

addresses, then you need to make use of policy-nat configurations.

Hope this helps.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Nagaraja Thanthry Sat, 08/28/2010 - 15:17

Hello,

nat-control (or no nat-control) is a way of enforcing the NAT requirements

on the Cisco Firewall (pre 8.3 code versions). If you configure nat-control,

then the firewall enforce the rule that every packet going from higher

security to lower security needs a NAT rule configured. If you configure "no

nat-control", then the firewall will not enforce the NAT requirement as long

as you have not configured any NAT rule for a specific traffic flow on that

interface.

http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl...

86a008046f31a.shtml#backinfo

Hope this helps.

Regards,

NT

Samir Shaikh Sat, 08/28/2010 - 16:02

Thanks for your fast response

I would like to let you know that the link you provided is not available

What I understand from your explanation  when we dont want to use NAT from High Security-level interface to low security interface level. For instance. from inside to dmz.

Can you give me an example for further clarification.

Thanks I really appreciate

Nagaraja Thanthry Sat, 08/28/2010 - 16:16

Hello,

Here is the link again:

http://tinyurl.com/dmvylq

So, essentially, when you disable nat-control, you are allowed to go from

higher security interface to lower security interface without NAT. For

example, let us say you have a public IP range on your inside network and

DMZ network. Then, you actually do not need any NAT. So, you could disable

NAT control. The other scenario I can think of is if you have firewall just

to protect different network segments and you have a different device that

is handling NAT. In that case, again you can use "no nat-control".

http://tinyurl.com/6gcquh

Hope this helps.

Regards,

NT

Samir Shaikh Sat, 08/28/2010 - 17:08

Hi,

Assume that I have internal hosts and I want to allow them to access a Web Server residing in DMZ segment, And this server has Private IP address for eg:172.16.1.5. Therfore in that case I can use exempt nat, this is what explaination I got after surfing on the web.

Please advice.

Correct Answer
Nagaraja Thanthry Sat, 08/28/2010 - 17:17

Hello,

That depends upon your requirement. You could hide your internal clients

behind a DMZ address by using NAT (if you want it to be more secure) or you

can certainly use NAT exemption. One drawback of NAT exemption (access-list

based nat 0 configuration) is that it will allow bi-directional connection.

So, anybody from DMZ can open connections to your internal network. Dynamic

PAT on the DMZ interface will ensure that nobody is allowed to open an

unauthorized connection from DMZ to inside.

In the reverse path, if you would like, you can force all your internal

clients to browse that server using its public IP as well. If you have an

internal DNS server that resolves all DNS queries for your domain, you have

the freedom of setting the A record for your website and set either public

IP or private IP based on your requirements. If you decide that you want to

use public IP, then you will need to use Static NAT. If you want to use

private IP, then you do not need to do anything. But if you want to use both

addresses, then you need to make use of policy-nat configurations.

Hope this helps.

Regards,

NT

Samir Shaikh Sat, 08/28/2010 - 17:24

hi,

Great,It was quite informative. I will be very thankfull if you can give me some command reference to configure Dynamic and Static NAT and ACL lists to accomplish this configuration.

Samir Shaikh Sat, 08/28/2010 - 17:44

Ok I will implement in my environment and do some tests. I will keep you update.Thanks

Actions

This Discussion