I am trying to determine if using no-nat between the inside and the DMZ is bad in any way. I was told that running no-nat between private interface does not cause any security risks, is this true? Am I losing any security functionality if I choose to bypass NAT? Below is my config.
Thanks in advance!
ip address 200.123.*.* 255.255.255.0
ip address 10.1.252.2 255.255.255.0
ip address 10.1.254.1 255.255.255.0
access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.1.254.0 255.255.255.0
If you want to remove or disable the nat-control statement in the PIX/ASA, you need to remove all NAT statements from the security appliance. In general, you need to remove the NAT before you turn off NAT control. You have to reconfigure the NAT statement in PIX/ASA to work as expected. The nat-control command on the PIX/ASA specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global or a static statement) for that traffic to pass through the firewall. The nat-control command ensures that the translation behavior is the same as PIX Firewall versions earlier than 7.0.
I'm not sure why the other poster here thinks you can't have nat statements if you disable nat-control. That's simply not true.
For the original poster, from your partial config, I can't tell if you have nat-control enabled or not. Whether or not this is enabled will dictate if there is any security between those interfaces w/ or w/o nat.
Since the DMZ has a lower security level though, with or without NAT you will need ACL's to originate traffic from the DMZ to the inside. If you want to control traffic from the inside to the dmz, you might consider applying an acl inbound on the inside interface, or outbound on the dmz interface.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...