Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member


Hi all

Was wondering if anyone could provide me with or link me to a good explanation of nat-control. I remember a course instructor telling me with it disabled, the ASA acts basically like a router. Is this really the case?

I'd like to avoid all the complex nat configuration issues involved with configuring multiple DMZ's and I was hoping with nat-control disabled this would be the case.

I still require inside to outside nat translations and certain hosts on my public dmz to translate when they access the internet for certain services as well as static nat translations for internet facing servers.

Then I have my private DMZ that needs to talk to the public dmz and vica versa which I would prefer not to have to configure nat for.

Am I doomed to nat hell or will disabling nat-control be my saviour?

Thanking all in advance.

P.S, I'm waiting on the arrival of my new ASA 5520 to replace my Pix 515e v6.3 so I havn't had a chance to play with it yet.



Re: nat-control

With nat-control turned on traffic going from and inside network to outside network has to meet a nat statement or the packet is dropped. With Nat-control turned off if a packet doesn't match a nat rule it is left with the original address and sent on it's marry way.

It is more secure to use nat-control as it only allows known IP's to traverse the firewall.

Setting up Nat from one dmz to another is easy to do. Just use the subnets and it's 1 statement.

static (dmz1, dmz2) netmask

Here is the NAT doc for 7.2.



Please rate if this helps.

CreatePlease to create content