Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Nonat translation

Hi,

Assume we are using an ASA with three zones configured,the security level of the each interface is as below,

INSIDE=100

TRUSTED=90

OUTSIDE=0

Also assume I have IP scheme 1.1.1.0/24 for inside,2.2.2.0/24 for trusted and 3.3.3.0/24 for outside.

I want to allow/permit the users from Trusted ,outside zones to inside without translation.

Please let me know the below configuration will work.

nat(trusted) 0 access-list nonattrust

nat(outside) 0 access-list nonatoutside

access-group outside in interface outside

access-group trust in interface trusted

access-list trust permit tcp host 2.2.2.5 host 1.1.1.5 eq 80

access-list nonattrust permit ip host 2.2.2.5 host 1.1.1.5

access-list outside permit tcp host 3.3.3.5 host 1.1.1.5 eq 80

access-list nonatoutside permit ip host 3.3.3.5 host 1.1.1.5

I am aware that for an inbound connection(lower to higher) static translation is required,but heared from one of my collegue that the above config will work.

Expecting an earliest reply.

Thanks and Regards,

Magesh

4 REPLIES

Re: Nonat translation

Hi,

On ASA there is an option to disable the need for mandatory traffic NAT, so no NAT 0 statement nedded. This will stil let you use NAT for specific traffic.

Give it a try.

Please rate if this helped.

Regards,

Daniel

Community Member

Re: Nonat translation

Hi,

I belive you are talking about the NAT-control feature.Please let me know whether the above config will work if i haven't use NAT-control.

Thanks,

Magesh

Re: Nonat translation

Hello Magesh,

As you know "nat-control" command was not there in 6.x version. But the default

behaviour back then was infact of "nat-control", meaning without a nat rule configured, inside traffic could not go outside.

However, in 7.x, the default is "no nat-control" which means inside traffic can

traverse the firewall towards outside even if there is no nat translation configured.

So basically with "no nat-control" you open up the door for the traffic to go through PIX even if there is no nat rule configured for that particular traffic.

Similarly for traffic from outside to inside with "no nat-control", you do not need any static defined either. The processing of an incoming packet continues (going through ACL and seeing if we should block it or

allow it, etc).

I think you should try the config on some test setup and confirm its working...

Hope this helps..

Raj

Community Member

Re: Nonat translation

Hi Raj,

Thanks much for your help.

Let me try this in the test setup and get back to you.

Thanks,

Magesh

228
Views
12
Helpful
4
Replies
CreatePlease to create content