Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 8.2 no nat-control

Hi,

ASA5540# sh run nat-control

no nat-control

this means higher security can talk to lower security without NAT rules

Question 1) - if I want higher security zone to to talk to lower security with NAT rules. I would use statements like below. Am I correct?

nat (dmz) 1 0.0.0.0 0.0.0.0

nat (inside) 1 0.0.0.0 0.0.0.0

global (dmz) 1 interface

global (inside) 1 interface

Is this correct? So in this case I am kindly of like overriding the no nat-control statement ...right?

Question 2) - Now I have no nat-control enabled. Would the below statements (nat 0) be of any use for NAT exemption??

nat (dmz) 0 access-list dmz-nonat

nat (inside) 0 access-list dbase-nonat

And do I have to have a global statement for NAT 0 ...like below?

global (dmz) 0 access-list dmz-nonat

global (apps) 0 access-list dbase-nonat

...let me whatever you need I am ready to provide you the necessary info.

Thanks

2 REPLIES

ASA 8.2 no nat-control

Frist of all nat-control is disbaled by default once you turn on then only nat rules are required.

global (outside) 1 interface

nat (dmz) 1 0.0.0.0 0.0.0.0

nat (inside) 1 0.0.0.0 0.0.0.0

This if you can say for internet traffic .

If

NAT-CONTROL

is enabled in 8.2 and below, for Inside to DMZ traffic flow you must have a NAT statement such as this:


static (inside,DMZ) 10.10.10.0  10.10.10.0  netmask 255.255.255.0

So: if NAT-CONTROL is enabled, traffic from higher security to lower security

zone must be NAT’d.  If NAT-CONTROL is NOT enabled, then as long as

routing and ACL’s are satisfied, traffic from inside to DMZ would flow

normally.

for more info -http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/nat_82.pdf

Thanks

Ajay

Re: ASA 8.2 no nat-control

Hello Kunal,

Answer of question 1: If you want to allow outbound connections from the outside to the inside ( Higher to lower security level interface) yes a PAT will work for that.

Answer of question 2: If you do not have nat control enabled you are not translating anything so what would be the purpose of the Nat 0, now the whole idea of the NAT 0 is DO NOT translate this, so why would you use a global for that, so NO there is no global on the nat 0.

Please rate helpful post,

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
1268
Views
0
Helpful
2
Replies