Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 8.2 no nat-control


ASA5540# sh run nat-control

no nat-control

this means higher security can talk to lower security without NAT rules

Question 1) - if I want higher security zone to to talk to lower security with NAT rules. I would use statements like below. Am I correct?

nat (dmz) 1

nat (inside) 1

global (dmz) 1 interface

global (inside) 1 interface

Is this correct? So in this case I am kindly of like overriding the no nat-control statement ...right?

Question 2) - Now I have no nat-control enabled. Would the below statements (nat 0) be of any use for NAT exemption??

nat (dmz) 0 access-list dmz-nonat

nat (inside) 0 access-list dbase-nonat

And do I have to have a global statement for NAT 0 below?

global (dmz) 0 access-list dmz-nonat

global (apps) 0 access-list dbase-nonat

...let me whatever you need I am ready to provide you the necessary info.



ASA 8.2 no nat-control

Frist of all nat-control is disbaled by default once you turn on then only nat rules are required.

global (outside) 1 interface

nat (dmz) 1

nat (inside) 1

This if you can say for internet traffic .



is enabled in 8.2 and below, for Inside to DMZ traffic flow you must have a NAT statement such as this:

static (inside,DMZ)  netmask

So: if NAT-CONTROL is enabled, traffic from higher security to lower security

zone must be NAT’d.  If NAT-CONTROL is NOT enabled, then as long as

routing and ACL’s are satisfied, traffic from inside to DMZ would flow


for more info -



Re: ASA 8.2 no nat-control

Hello Kunal,

Answer of question 1: If you want to allow outbound connections from the outside to the inside ( Higher to lower security level interface) yes a PAT will work for that.

Answer of question 2: If you do not have nat control enabled you are not translating anything so what would be the purpose of the Nat 0, now the whole idea of the NAT 0 is DO NOT translate this, so why would you use a global for that, so NO there is no global on the nat 0.

Please rate helpful post,



Looking for some Networking Assistance? Contact me directly at I will fix your problem ASAP. Cheers, Julio Carvajal Segura