Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA nat-control issue

We are looking for a clarification of ASA nat-control command. Unfortunately, we don't have spare device to test it out.

The situation is as follows:

An ASA firewall has three interfaces: "inside", "outside", and "corpinside".

nat-control is DISABLED.

A GLOBAL statment is defined on the "outside" interface and the correpsonding NAT statement on the "inside" interface, something like:

  global(outside) 1 ...

  nat (inside) 1 ...

We confirmed packets from "inside" to "outside" are allowed even for the packes that do not match any NAT rules (including Static NAT, DynamicNAT, and NAT  Exempt).

The issue is what happens to traffice from "inside" to "corpinside" if no Dynamic NAT is defined from "inside" to "corpinside" and two interfaces have

different secuity levels.

One interpretation is: Since NAT is disabled, all traffic from "inside" to "corpinside" should be allowed.


Another interpretation: If dynamic NAT is configured on an interface, all traffic from that interface to any other interface must hit a NAT rule, therefore traffic from "inside" to "corpinside" should be denied .


We need a clarification of which interpretation is correct.

Also,if "inside" and "corpinside" are at the same security level, then is the  traffic allowed?

5 REPLIES

Re: ASA nat-control issue

Hello,

I think here are the answer to your questions:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html

Federico.

Re: ASA nat-control issue

Taken from the link:

Even with NAT control disabled, you need to perform NAT on any addresses for which you configure dynamic NAT.
When NAT control is disabled, and a NAT and a global command pair are configured for an interface, the real IP addresses cannot go
out on other interfaces unless you define those destinations with the nat 0 access-list command.

Federico.

New Member

Re: ASA nat-control issue

Thanks for your information.

We had read the document you mentioned. Our interpretation at that time was the following.

   If nat-control is disabled and dynamic NAT is defined on an interface on which traffic is originating, then packets going from that interface to any other interfaces must match NAT rules.

So, in the example I specified above, packets from "inside" to "outside" that do not match any NAT rule (including NAT Exempt rule) should have been dropped.

However,  someone did device testing and told us that packets from "inside" to "outside" that match no NAT rule are actually allowed as is.

So that's why we are not sure what is the correct behavior of ASA nat-control.

Cisco Employee

Re: ASA nat-control issue

I am not sure if it clear but "match no NAT rule" does not mean that they do no match a nat rule. You could be matching no nat (nat exemption)

by matching nat (inside) 0 rule.

I hope it is clear now.

PK

New Member

Re: ASA nat-control issue

Sorry for the confusion.

"Patcks that match no nat rules" means "Packets that do not match any NAT rules including Dynamic NAT, Static NAT, and NAT Exempt rules"

501
Views
0
Helpful
5
Replies