Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
627
Views
5
Helpful
7
Replies

ASA 8.4 and NATControll

Go to solution
siddhartham
Level 4
Level 4

‎04-26-2012 03:13 PM - edited ‎03-11-2019 03:58 PM

For ASA v8.3 and above we don't need to use nat-controll, traffic from high security interface can go to low security interface without matching NAT statements.So does the ASA automatically NAT s the outgoing traffic to the outside interface by default?

For example

ASA inside int---10.1.1.1

outside int---120.11.1.1

when the inside hosts try to go out they will be NATed to 120.11.1.1 by default on version 8.3 and later.is that right?

Siddhartha
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7
In response to siddhartham

‎04-27-2012 07:46 AM

Yes, you got it right.

Dan

View solution in original post

0 Helpful
7 Replies 7

Go to solution
varrao
Level 10
Level 10

‎04-26-2012 10:57 PM

Hi Siddharth,

No the firewall would not nat the traffic to the outside interface automatically, you would need to specifically add the nat statement:

object network any_0

  subnet 0.0.0.0 0.0.0.0

  nat(inside,outside) dynamic interface

For going to the internet, you would need to nat the internal ip's to a pubic ip.

Thanks,

Varun

Thanks,
Varun Rao

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7

‎04-26-2012 11:39 PM

Hi Siddhartham,

In addition to Varun's post, nat-control feature was removed. This means that you cannot disable it , or enable it.

By default the firewall will pass the traffic without changing destination or source IP.

Dan

0 Helpful

Go to solution
siddhartham
Level 4
Level 4
In response to Dan-Ciprian Cicioiu

‎04-27-2012 06:47 AM

Thanks Varun and Dan.

"By default the firewall will pass the traffic without changing destination or source IP"

If thats the case if the inside hosts(10.X.X.X) try to access something on the internet will the packets be sent out with source IP-10.X.XX? If so how will the return packet be routed back?

Siddhartha
0 Helpful

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7
In response to siddhartham

‎04-27-2012 07:27 AM

Hi Siddhartham,

Yes, if you do not have configured NAT, the packet will exit the outside interface with the source 10.x.x.x.

This does not mean that the connection will be established.

I was explaining what happends with the flow. In order to have a succesfull connection you will have to do PAT as Varun already showed you.

Dan

0 Helpful

Go to solution
siddhartham
Level 4
Level 4
In response to Dan-Ciprian Cicioiu

‎04-27-2012 07:42 AM

Thanks Dan. I should have asked my above question differently, please let me know whether my below explanation is correct or not.

If nat-control is enabled-- for the inside hosts (sec level-100, IP-10.x.x.x) to talk to dmz hosts (sec level-50, IP-192.x.x.x) we need a matching NAT statment like

nat (inside) 1 0.0.0.0 0.0.0.0

global(dmz) 1 interface

for ASA Version 8.3 and above, since there is no nat-control, the inside hosts can talk to dmz hosts without any NAT statement as long as the access-list permits that communication if there is any.

Siddhartha
0 Helpful

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7
In response to siddhartham

‎04-27-2012 07:46 AM

Yes, you got it right.

Dan

0 Helpful

Go to solution
siddhartham
Level 4
Level 4
In response to Dan-Ciprian Cicioiu

‎04-27-2012 07:48 AM

Thanks for confirming

Siddhartha
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card