Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Nonat translation

Unanswered Question
Jan 12th, 2007
User Badges:


Assume we are using an ASA with three zones configured,the security level of the each interface is as below,




Also assume I have IP scheme for inside, for trusted and for outside.

I want to allow/permit the users from Trusted ,outside zones to inside without translation.

Please let me know the below configuration will work.

nat(trusted) 0 access-list nonattrust

nat(outside) 0 access-list nonatoutside

access-group outside in interface outside

access-group trust in interface trusted

access-list trust permit tcp host host eq 80

access-list nonattrust permit ip host host

access-list outside permit tcp host host eq 80

access-list nonatoutside permit ip host host

I am aware that for an inbound connection(lower to higher) static translation is required,but heared from one of my collegue that the above config will work.

Expecting an earliest reply.

Thanks and Regards,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Daniel Voicu Sun, 01/14/2007 - 12:06
User Badges:
  • Silver, 250 points or more


On ASA there is an option to disable the need for mandatory traffic NAT, so no NAT 0 statement nedded. This will stil let you use NAT for specific traffic.

Give it a try.

Please rate if this helped.



Kmageshkumar Tue, 01/16/2007 - 03:55
User Badges:


I belive you are talking about the NAT-control feature.Please let me know whether the above config will work if i haven't use NAT-control.



sachinraja Tue, 01/16/2007 - 05:24
User Badges:
  • Red, 2250 points or more

Hello Magesh,

As you know "nat-control" command was not there in 6.x version. But the default

behaviour back then was infact of "nat-control", meaning without a nat rule configured, inside traffic could not go outside.

However, in 7.x, the default is "no nat-control" which means inside traffic can

traverse the firewall towards outside even if there is no nat translation configured.

So basically with "no nat-control" you open up the door for the traffic to go through PIX even if there is no nat rule configured for that particular traffic.

Similarly for traffic from outside to inside with "no nat-control", you do not need any static defined either. The processing of an incoming packet continues (going through ACL and seeing if we should block it or

allow it, etc).

I think you should try the config on some test setup and confirm its working...

Hope this helps..


Kmageshkumar Thu, 01/18/2007 - 17:45
User Badges:

Hi Raj,

Thanks much for your help.

Let me try this in the test setup and get back to you.




This Discussion