we currently have several offices internationally. Each Office is considered an untrusted site, so we have firewalls between offices. Most of these firewalls started with Pix 6.3 but have been upgraded to 7.2. Many of the rules have been put in place to allow clients in offices to connect with specific servers in another office. Since These firewalls started on 6.3 code, we have NAT in place with an identity nat for all traffic going over the firewall. We do not actually NAT to different IP's (all of this is on an internal network with Private IP's). In order to access the servers, we have static nat commands (and in some cases, static nats for entire subnets). Now we need the ability to allow all clients to talk with all other clients on specific ports for a real time communications program.
I am assuming the only two options we have are adding static NATS for all subnets in our networks, or issuing the "no nat-control" and disabling nat all together. Since we do not actually NAT to different IP's (all of this is on an internal network with Private IP's), will we break anything by disabling NAT? I just hate to be the one pulling the trigger. Thank you for your help.
If all you are currently doing is static identity NAT then I can't see any difference that no nat-control would make. If no translation is required why configure a long list of statics when no nat-control would accomplish the same outcome. Configure the access list to open up ports for all your application(s) and control the access there.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...