Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
789
Views
0
Helpful
5
Replies

ASA nat-control issue

lanli_ltp
Level 1
Level 1

‎06-08-2010 03:55 PM - edited ‎03-11-2019 10:56 AM

We are looking for a clarification of ASA nat-control command. Unfortunately, we don't have spare device to test it out.

The situation is as follows:

An ASA firewall has three interfaces: "inside", "outside", and "corpinside".

nat-control is DISABLED.

A GLOBAL statment is defined on the "outside" interface and the correpsonding NAT statement on the "inside" interface, something like:

  global(outside) 1 ...

  nat (inside) 1 ...

We confirmed packets from "inside" to "outside" are allowed even for the packes that do not match any NAT rules (including Static NAT, DynamicNAT, and NAT  Exempt).

The issue is what happens to traffice from "inside" to "corpinside" if no Dynamic NAT is defined from "inside" to "corpinside" and two interfaces have

different secuity levels.

One interpretation is: Since NAT is disabled, all traffic from "inside" to "corpinside" should be allowed.


Another interpretation: If dynamic NAT is configured on an interface, all traffic from that interface to any other interface must hit a NAT rule, therefore traffic from "inside" to "corpinside" should be denied .


We need a clarification of which interpretation is correct.

Also,if "inside" and "corpinside" are at the same security level, then is the  traffic allowed?

Labels:
0 Helpful
5 Replies 5

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎06-08-2010 04:01 PM

Hello,

I think here are the answer to your questions:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html

Federico.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Federico Coto Fajardo

‎06-08-2010 04:24 PM

Taken from the link:

Even with NAT control disabled, you need to perform NAT on any addresses for which you configure dynamic NAT.
When NAT control is disabled, and a NAT and a global command pair are configured for an interface, the real IP addresses cannot go
out on other interfaces unless you define those destinations with the nat 0 access-list command.

Federico.

0 Helpful

lanli_ltp
Level 1
Level 1
In response to Federico Coto Fajardo

‎06-08-2010 07:06 PM

Thanks for your information.

We had read the document you mentioned. Our interpretation at that time was the following.

   If nat-control is disabled and dynamic NAT is defined on an interface on which traffic is originating, then packets going from that interface to any other interfaces must match NAT rules.

So, in the example I specified above, packets from "inside" to "outside" that do not match any NAT rule (including NAT Exempt rule) should have been dropped.

However,  someone did device testing and told us that packets from "inside" to "outside" that match no NAT rule are actually allowed as is.

So that's why we are not sure what is the correct behavior of ASA nat-control.

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee

‎06-09-2010 06:48 AM

I am not sure if it clear but "match no NAT rule" does not mean that they do no match a nat rule. You could be matching no nat (nat exemption)

by matching nat (inside) 0 rule.

I hope it is clear now.

PK

0 Helpful

lanli_ltp
Level 1
Level 1
In response to Panos Kampanakis

‎06-09-2010 07:29 AM

Sorry for the confusion.

"Patcks that match no nat rules" means "Packets that do not match any NAT rules including Dynamic NAT, Static NAT, and NAT Exempt rules"

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card