Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
860
Views
12
Helpful
4
Replies

Nonat translation

Kmageshkumar
Level 1
Level 1

‎01-12-2007 11:05 PM - edited ‎03-11-2019 02:18 AM

Hi,

Assume we are using an ASA with three zones configured,the security level of the each interface is as below,

INSIDE=100

TRUSTED=90

OUTSIDE=0

Also assume I have IP scheme 1.1.1.0/24 for inside,2.2.2.0/24 for trusted and 3.3.3.0/24 for outside.

I want to allow/permit the users from Trusted ,outside zones to inside without translation.

Please let me know the below configuration will work.

nat(trusted) 0 access-list nonattrust

nat(outside) 0 access-list nonatoutside

access-group outside in interface outside

access-group trust in interface trusted

access-list trust permit tcp host 2.2.2.5 host 1.1.1.5 eq 80

access-list nonattrust permit ip host 2.2.2.5 host 1.1.1.5

access-list outside permit tcp host 3.3.3.5 host 1.1.1.5 eq 80

access-list nonatoutside permit ip host 3.3.3.5 host 1.1.1.5

I am aware that for an inbound connection(lower to higher) static translation is required,but heared from one of my collegue that the above config will work.

Expecting an earliest reply.

Thanks and Regards,

Magesh

Labels:
0 Helpful
4 Replies 4

5220
Level 4
Level 4

‎01-14-2007 12:06 PM

Hi,

On ASA there is an option to disable the need for mandatory traffic NAT, so no NAT 0 statement nedded. This will stil let you use NAT for specific traffic.

Give it a try.

Please rate if this helped.

Regards,

Daniel

0 Helpful

Kmageshkumar
Level 1
Level 1
In response to 5220

‎01-16-2007 03:55 AM

Hi,

I belive you are talking about the NAT-control feature.Please let me know whether the above config will work if i haven't use NAT-control.

Thanks,

Magesh

0 Helpful

sachinraja
Level 9
Level 9
In response to Kmageshkumar

‎01-16-2007 05:24 AM

Hello Magesh,

As you know "nat-control" command was not there in 6.x version. But the default

behaviour back then was infact of "nat-control", meaning without a nat rule configured, inside traffic could not go outside.

However, in 7.x, the default is "no nat-control" which means inside traffic can

traverse the firewall towards outside even if there is no nat translation configured.

So basically with "no nat-control" you open up the door for the traffic to go through PIX even if there is no nat rule configured for that particular traffic.

Similarly for traffic from outside to inside with "no nat-control", you do not need any static defined either. The processing of an incoming packet continues (going through ACL and seeing if we should block it or

allow it, etc).

I think you should try the config on some test setup and confirm its working...

Hope this helps..

Raj

Kmageshkumar
Level 1
Level 1
In response to sachinraja

‎01-18-2007 05:45 PM

Hi Raj,

Thanks much for your help.

Let me try this in the test setup and get back to you.

Thanks,

Magesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card