I have just been asked to take over management of a FSWM in a 6509. Looking into the config, I notice that there doesn't appear to be adequate NAT statements, as I know them to be.
For example, here is the config relating to a network on the inside interface accessing a device in the web dmz:
ip address 10.30.5.1 255.255.255.0
ip address 10.30.81.10 255.255.255.252
object-group network OFFICE-NETWORKS
network-object 10.18.0.0 255.255.0.0
access-list INSIDE-IN extended permit ip object-group OFFICE-NETWORKS host 10.30.5.34
access-group INSIDE-IN in interface inside
route product-inside 10.18.0.0 255.255.0.0 core12
Now, I would expect there to be a NAT 0 or a static entry, but there are neither (you'll have to trust me on this!). There is actually no NAT 0 entry, only numbers 1-10 for outgoing traffic from the web dmz to the outside interface.
Yet a connection still occurs:
TCP out 10.30.5.34:3389 in 10.18.10.4:2035 idle 0:00:02 Bytes 142 FLAGS - U
And NAT has taken place:
NAT from inside:10.18.10.4 to webfront:10.18.10.4 flags Ii
I can't figure out how it knows to NAT this...can anyone shed any light?
Many thanks for your response. Apologies, I should have said that I had already searched for no nat-control in the config but it's not there...but thinking about it, does that mean that this is set as default and that's why it's not showing? It's running version 3.1(1).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...