Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Pros and cons of NO-NAT?

I am trying to determine if using no-nat between the inside and the DMZ is bad in any way. I was told that running no-nat between private interface does not cause any security risks, is this true? Am I losing any security functionality if I choose to bypass NAT? Below is my config.

Thanks in advance!

interface Ethernet0/0

nameif outside

security-level 0

ip address 200.123.*.*

interface Ethernet0/1

nameif inside

security-level 100

ip address

interface Ethernet0/2

nameif DMZ

security-level 50

ip address

access-list nonat extended permit ip

nat (inside) 0 access-list nonat

global (outside) 1 200.123.*.*

nat (inside) 1

nat (inside) 1

nat (inside) 1

nat (inside) 1


Re: Pros and cons of NO-NAT?

If you want to remove or disable the nat-control statement in the PIX/ASA, you need to remove all NAT statements from the security appliance. In general, you need to remove the NAT before you turn off NAT control. You have to reconfigure the NAT statement in PIX/ASA to work as expected. The nat-control command on the PIX/ASA specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global or a static statement) for that traffic to pass through the firewall. The nat-control command ensures that the translation behavior is the same as PIX Firewall versions earlier than 7.0.

Community Member

Re: Pros and cons of NO-NAT?

Thanks for the replay!

My question more centered around whether or not you loose any security features of the ASA if you choose to run "no-nat" between the inside and DMZ.

Thanks again!


Re: Pros and cons of NO-NAT?

I'm not sure why the other poster here thinks you can't have nat statements if you disable nat-control. That's simply not true.

For the original poster, from your partial config, I can't tell if you have nat-control enabled or not. Whether or not this is enabled will dictate if there is any security between those interfaces w/ or w/o nat.

Since the DMZ has a lower security level though, with or without NAT you will need ACL's to originate traffic from the DMZ to the inside. If you want to control traffic from the inside to the dmz, you might consider applying an acl inbound on the inside interface, or outbound on the dmz interface.

CreatePlease to create content