Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Silver

ASA 8.4 and NATControll

For ASA v8.3 and above we don't need to use nat-controll, traffic from high security interface can go to low security interface without matching NAT statements.So does the ASA automatically NAT s the outgoing traffic to the outside interface by default?

For example

ASA inside int---10.1.1.1

outside int---120.11.1.1

when the inside hosts try to go out they will be NATed to 120.11.1.1 by default on version 8.3 and later.is that right?

Siddhartha
1 ACCEPTED SOLUTION

Accepted Solutions

ASA 8.4 and NATControll

Yes, you got it right.

Dan

7 REPLIES
Red

ASA 8.4 and NATControll

Hi Siddharth,

No the firewall would not nat the traffic to the outside interface automatically, you would need to specifically add the nat statement:

object network any_0

  subnet 0.0.0.0 0.0.0.0

  nat(inside,outside) dynamic interface

For going to the internet, you would need to nat the internal ip's to a pubic ip.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC

ASA 8.4 and NATControll

Hi Siddhartham,

In addition to Varun's post, nat-control feature was removed. This means that you cannot disable it , or enable it.

By default the firewall will pass the traffic without changing destination or source IP.

Dan

Silver

ASA 8.4 and NATControll

Thanks Varun and Dan.

"By default the firewall will pass the traffic without changing destination or source IP"

If thats the case if the inside hosts(10.X.X.X) try to access something on the internet will the packets be sent out with source IP-10.X.XX? If so how will the return packet be routed back?

Siddhartha

ASA 8.4 and NATControll

Hi Siddhartham,

Yes, if you do not have configured NAT, the packet will exit the outside interface with the source 10.x.x.x.

This does not mean that the connection will be established.

I was explaining what happends with the flow. In order to have a succesfull connection you will have to do PAT as Varun already showed you.

Dan

Silver

ASA 8.4 and NATControll

Thanks Dan. I should have asked my above question differently, please let me know whether my below explanation is correct or not.

If nat-control is enabled-- for the inside hosts (sec level-100, IP-10.x.x.x) to talk to dmz hosts (sec level-50, IP-192.x.x.x) we need a matching NAT statment like

nat (inside) 1 0.0.0.0 0.0.0.0

global(dmz) 1 interface

for ASA Version 8.3 and above, since there is no nat-control, the inside hosts can talk to dmz hosts without any NAT statement as long as the access-list permits that communication if there is any.

Siddhartha

ASA 8.4 and NATControll

Yes, you got it right.

Dan

Silver

ASA 8.4 and NATControll

Thanks for confirming

Siddhartha
390
Views
5
Helpful
7
Replies
CreatePlease to create content