Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
813
Views
0
Helpful
3
Replies

Pros and cons of NO-NAT?

anowell
Level 1
Level 1

‎03-30-2009 03:25 PM - edited ‎03-12-2019 05:59 PM

I am trying to determine if using no-nat between the inside and the DMZ is bad in any way. I was told that running no-nat between private interface does not cause any security risks, is this true? Am I losing any security functionality if I choose to bypass NAT? Below is my config.

Thanks in advance!

interface Ethernet0/0

nameif outside

security-level 0

ip address 200.123.*.* 255.255.255.0

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.252.2 255.255.255.0

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 10.1.254.1 255.255.255.0

access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.1.254.0 255.255.255.0

nat (inside) 0 access-list nonat

global (outside) 1 200.123.*.*

nat (inside) 1 10.1.2.0 255.255.255.0

nat (inside) 1 10.1.3.0 255.255.255.0

nat (inside) 1 10.1.4.0 255.255.255.0

nat (inside) 1 10.1.5.0 255.255.255.0

Labels:
0 Helpful
3 Replies 3

htarra
Level 4
Level 4

‎04-03-2009 08:39 AM

If you want to remove or disable the nat-control statement in the PIX/ASA, you need to remove all NAT statements from the security appliance. In general, you need to remove the NAT before you turn off NAT control. You have to reconfigure the NAT statement in PIX/ASA to work as expected. The nat-control command on the PIX/ASA specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global or a static statement) for that traffic to pass through the firewall. The nat-control command ensures that the translation behavior is the same as PIX Firewall versions earlier than 7.0.

0 Helpful

anowell
Level 1
Level 1
In response to htarra

‎04-03-2009 08:53 AM

Thanks for the replay!

My question more centered around whether or not you loose any security features of the ASA if you choose to run "no-nat" between the inside and DMZ.

Thanks again!

0 Helpful

srue
Level 7
Level 7
In response to anowell

‎04-03-2009 09:31 AM

I'm not sure why the other poster here thinks you can't have nat statements if you disable nat-control. That's simply not true.

For the original poster, from your partial config, I can't tell if you have nat-control enabled or not. Whether or not this is enabled will dictate if there is any security between those interfaces w/ or w/o nat.

Since the DMZ has a lower security level though, with or without NAT you will need ACL's to originate traffic from the DMZ to the inside. If you want to control traffic from the inside to the dmz, you might consider applying an acl inbound on the inside interface, or outbound on the dmz interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card