Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Logging and nat rules question

Hi all

I have an asa with the latest asdm. I have 2 questions

When doing a no Nat rule between 2 destinations, do I create a nat rule with my source and destination, then in the bottom box keep both as original ? How do I know if nat control is enabled on the GUI ?

I need to see some logs for something that is getting denied, on the bottom of each acl I don't see the implicit deny rule, do i need to create one at the bottom of my acl in question and turn logging to debugging?

Many thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Logging and nat rules question

Hello Carl,

Not at all you do not need that, but if you have a private ip address for the internal host you will need to nat it to the outside world to make it routable... but that is common sense.

It is not required to used it ( if you have on the inside interface public ip addresses then you will not need to do the NAT)

Hope this helps.

Please let me know if you have any other question if not please mark the question as answered.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
5 REPLIES

Logging and nat rules question

Hello Carl,

Is the requirement to know it via ASDM or can it be via CLI.

If CLI I can help you right now.

Do a sh run nat-control ( If you are running a version higher than 8.3 nat control will be disabled by default)

Regarding the not nat Rule, Yes you have to let them original.

Now regarding the ACL in order to log it you need to create it ( By default the implicit deny will not generate a log)

Regards,

Do rate all the helpful posts

Julio

Cisco Security Engineer

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Logging and nat rules question

Hi

so if we run 8.4 then is trafic allowed to flow throught he device without nat by default ?

also with the logging messages, so are you saying that i need to create an implicit deny under each of my access lists to see the deny logs ?

cheers

Logging and nat rules question

Hello Carl,

from 8.3 to new versions Nat control is disabled, so if a packet from a higher security level wants to go to a lower version

there is no need for a NAT statement as required on 8.2 or lower versions.

If you want to see the deny logs yes you will need to do that.

Regards,

DO Rate all the helpful posts

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Logging and nat rules question

Hi There

what about if traffic say from outside (low security interface) needs access to a host in the inside (high security) interface, do we need to do configure a nat exemption for this ?

Many thanks

Carl

Logging and nat rules question

Hello Carl,

Not at all you do not need that, but if you have a private ip address for the internal host you will need to nat it to the outside world to make it routable... but that is common sense.

It is not required to used it ( if you have on the inside interface public ip addresses then you will not need to do the NAT)

Hope this helps.

Please let me know if you have any other question if not please mark the question as answered.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
353
Views
1
Helpful
5
Replies