Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

"no-nat control" on ASA 5520

I have Active/Standby ASA 5520. The problem, I am facing is with Natting. I don't want to use ASA for Natting.

To accomplish it, I have not used any natting rule and have run "no-nat control"command on ASA. But after that I am not able to ping WAN or reach internet from LAN.

Then I have put below commands and everything started working:

global (WAN) 1 interface

nat (LAN) 1

Can't I use ASA without natting?



Re: "no-nat control" on ASA 5520

to use the asa w/o NATing, one of the following conditions would have to be met:

1. Some other device NATs for you to reach the Internet

2. Each and every host in your network that needs Internet access must be assigned a publicly routable address.

if you're using the asa to separate internal networks, you could also disable NAT then depending on your policy.

New Member

Re: "no-nat control" on ASA 5520


I am using Router for natting and internet is working fine if I enable natting commands (mentioned in previous post) on ASA.

But if, I remove those commands from ASA and use no nat-control, then I am not able to access internet.




Re: "no-nat control" on ASA 5520

We need more information about your network to begin troubleshooting then.

We need to know about the router. Where is it in relation to the firewall? What IP's are assigned to each interface of it? Are there any ACL's blocking your internal address block?

New Member

Re: "no-nat control" on ASA 5520

User <--> LAN s/w <--> ASA5520 <--> L2 switch <-->WAN Rtr <-->Internet

Above is the topology. is the pool used. Attached ASA configuration (first post) contains the subnets used for each interface.

I have tried few things:

- removed NAT commands from ASA

- cleared ARP on firewall and router

Now its working. But I don't find the reason for that. Also, I am worried, if this problem would reoccur.


New Member

Re: "no-nat control" on ASA 5520

As another poster mentioned I dont know what your external router is doing but if you are having to enable the Nat-control feature on the ASA then this means that your external router may only be NATing the IP address of your external interface on your ASA. If you do a no nat-control this means that you network is being NATed to your external interface with or NAT 0 to make things a bit clear, The ASA will allow all your internal IP's to traverse the ASA but gets NATed with the same IP address as the source. If you enable NAT-Control on the ASA then in order for any traffic to flow the ASA will need a NAT statement which you mentioned with using

global (ourside)1 interface

nat (inside) 1 0 0

This will NAT all your inside IP to the public IP of your ASA, if your NAT statement is setup correctly on your external facing Router so that it will nat to outside interface or pool of the router then you should be able to use the no Nat-control and things should work , again not knowing your network, these are a couple things to look at.