The ASA and PIX ver 7 up is supposed to work in a no nat-control mode (by default). Several discussion in the forum focus on the NAT and STATIC commands. What I really would like is an explanation on how to configure tha ASA to route traffic between interfaces without the use of STATIC commands. I have tried to do this with no luck.
If there is any one ho has knowledge an perhaps a working example of configuration for the ASA to do this I would be evry happy.
If you issue the command "no nat-control" (which is actually the default on a new ASA, but not on an upgraded PIX), then the firewall will route outbound packets (from inside->outside) without any additional commands, just like a router. Inbound packets (from outside->inside) only requires an access-list, no static.
If you have "no nat-control" AND static/nat statements then the static/nat statements will apply to matching traffic, and all other traffic will flow without being NAT'd.
If you have "nat-control" AND static/nat statements then the static/nat statements will apply to matching traffic, and all other traffic will BE DROPPED.
I have issued the command show run nat-control, and gets the answer no nat-control. So I guess this is correct. With inside and outside I assume you mean from a interface with higer security-level to another interface with a lower security-level?
Here is a part of the configuration. What I am trying to do is getting traffic to flow from interface ADM to interface RES without any static commands. behind the ADM interface there is a number of subnets of net 10.0.0.0.
ip address 10.1.1.1 255.255.0.0
ip address 10.127.0.1 255.255.255.0
description LAN/STATE Failover Interface
no ip address
ip address 184.108.40.206 255.255.255.0
ip address 10.3.25.1 255.255.255.0
access-list PUB_access_in extended permit ip any any
access-list ADM_access_in extended permit ip any any
access-list DMZ1_access_in extended permit ip any any
access-list RES_access_in extended permit ip any any
This does match the incoming traffic, but then there's no matching global for the RES interface, so it's probably being dropped. what does the syslog show when you try and get traffic through, you'll probably see a bunch of 305006 syslog messages (if my assumption is correct).
I would have thought with no nat-control it wouldn't have worried about the nat statement, but maybe because it does match then it assumes you do want to nat it to something. AS I said, even with "no nat-control", we will still nat packets if they match on a static/nat, and this seems to be what's happening here. When you then add the static command that takes precedence over the nat command and is used correctly.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...