cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
950
Views
4
Helpful
8
Replies

nat-control

samirshaikh52
Level 2
Level 2

Hi All,

Can someone explain me what is the use of command nat-control and no nat-controm on ASA. As I am newbie to ASA.

I tried to search a lot on internet but I didn't simple and explainative answer

Please can anyone help me out

Thanks

1 Accepted Solution

Accepted Solutions

Hello,

That depends upon your requirement. You could hide your internal clients

behind a DMZ address by using NAT (if you want it to be more secure) or you

can certainly use NAT exemption. One drawback of NAT exemption (access-list

based nat 0 configuration) is that it will allow bi-directional connection.

So, anybody from DMZ can open connections to your internal network. Dynamic

PAT on the DMZ interface will ensure that nobody is allowed to open an

unauthorized connection from DMZ to inside.

In the reverse path, if you would like, you can force all your internal

clients to browse that server using its public IP as well. If you have an

internal DNS server that resolves all DNS queries for your domain, you have

the freedom of setting the A record for your website and set either public

IP or private IP based on your requirements. If you decide that you want to

use public IP, then you will need to use Static NAT. If you want to use

private IP, then you do not need to do anything. But if you want to use both

addresses, then you need to make use of policy-nat configurations.

Hope this helps.

Regards,

NT

View solution in original post

8 Replies 8

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

nat-control (or no nat-control) is a way of enforcing the NAT requirements

on the Cisco Firewall (pre 8.3 code versions). If you configure nat-control,

then the firewall enforce the rule that every packet going from higher

security to lower security needs a NAT rule configured. If you configure "no

nat-control", then the firewall will not enforce the NAT requirement as long

as you have not configured any NAT rule for a specific traffic flow on that

interface.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example091

86a008046f31a.shtml#backinfo

Hope this helps.

Regards,

NT

Thanks for your fast response

I would like to let you know that the link you provided is not available

What I understand from your explanation  when we dont want to use NAT from High Security-level interface to low security interface level. For instance. from inside to dmz.

Can you give me an example for further clarification.

Thanks I really appreciate

Hello,

Here is the link again:

http://tinyurl.com/dmvylq

So, essentially, when you disable nat-control, you are allowed to go from

higher security interface to lower security interface without NAT. For

example, let us say you have a public IP range on your inside network and

DMZ network. Then, you actually do not need any NAT. So, you could disable

NAT control. The other scenario I can think of is if you have firewall just

to protect different network segments and you have a different device that

is handling NAT. In that case, again you can use "no nat-control".

http://tinyurl.com/6gcquh

Hope this helps.

Regards,

NT

Hi,

Assume that I have internal hosts and I want to allow them to access a Web Server residing in DMZ segment, And this server has Private IP address for eg:172.16.1.5. Therfore in that case I can use exempt nat, this is what explaination I got after surfing on the web.

Please advice.

Hello,

That depends upon your requirement. You could hide your internal clients

behind a DMZ address by using NAT (if you want it to be more secure) or you

can certainly use NAT exemption. One drawback of NAT exemption (access-list

based nat 0 configuration) is that it will allow bi-directional connection.

So, anybody from DMZ can open connections to your internal network. Dynamic

PAT on the DMZ interface will ensure that nobody is allowed to open an

unauthorized connection from DMZ to inside.

In the reverse path, if you would like, you can force all your internal

clients to browse that server using its public IP as well. If you have an

internal DNS server that resolves all DNS queries for your domain, you have

the freedom of setting the A record for your website and set either public

IP or private IP based on your requirements. If you decide that you want to

use public IP, then you will need to use Static NAT. If you want to use

private IP, then you do not need to do anything. But if you want to use both

addresses, then you need to make use of policy-nat configurations.

Hope this helps.

Regards,

NT

hi,

Great,It was quite informative. I will be very thankfull if you can give me some command reference to configure Dynamic and Static NAT and ACL lists to accomplish this configuration.

Hello,

Here are the links again:

http://tinyurl.com/dmvylq

http://tinyurl.com/6gcquh

The first link has few examples and corresponding configuration commands.

Second one is a command reference guide.

Hope this helps.

Regards,

NT

Ok I will implement in my environment and do some tests. I will keep you update.Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: