04-26-2012 03:13 PM - edited 03-11-2019 03:58 PM
For ASA v8.3 and above we don't need to use nat-controll, traffic from high security interface can go to low security interface without matching NAT statements.So does the ASA automatically NAT s the outgoing traffic to the outside interface by default?
For example
ASA inside int---10.1.1.1
outside int---120.11.1.1
when the inside hosts try to go out they will be NATed to 120.11.1.1 by default on version 8.3 and later.is that right?
Solved! Go to Solution.
04-27-2012 07:46 AM
04-26-2012 10:57 PM
Hi Siddharth,
No the firewall would not nat the traffic to the outside interface automatically, you would need to specifically add the nat statement:
object network any_0
subnet 0.0.0.0 0.0.0.0
nat(inside,outside) dynamic interface
For going to the internet, you would need to nat the internal ip's to a pubic ip.
Thanks,
Varun
04-26-2012 11:39 PM
Hi Siddhartham,
In addition to Varun's post, nat-control feature was removed. This means that you cannot disable it , or enable it.
By default the firewall will pass the traffic without changing destination or source IP.
Dan
04-27-2012 06:47 AM
Thanks Varun and Dan.
"By default the firewall will pass the traffic without changing destination or source IP"
If thats the case if the inside hosts(10.X.X.X) try to access something on the internet will the packets be sent out with source IP-10.X.XX? If so how will the return packet be routed back?
04-27-2012 07:27 AM
Hi Siddhartham,
Yes, if you do not have configured NAT, the packet will exit the outside interface with the source 10.x.x.x.
This does not mean that the connection will be established.
I was explaining what happends with the flow. In order to have a succesfull connection you will have to do PAT as Varun already showed you.
Dan
04-27-2012 07:42 AM
Thanks Dan. I should have asked my above question differently, please let me know whether my below explanation is correct or not.
If nat-control is enabled-- for the inside hosts (sec level-100, IP-10.x.x.x) to talk to dmz hosts (sec level-50, IP-192.x.x.x) we need a matching NAT statment like
nat (inside) 1 0.0.0.0 0.0.0.0
global(dmz) 1 interface
for ASA Version 8.3 and above, since there is no nat-control, the inside hosts can talk to dmz hosts without any NAT statement as long as the access-list permits that communication if there is any.
04-27-2012 07:46 AM
Yes, you got it right.
Dan
04-27-2012 07:48 AM
Thanks for confirming
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: