Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Turning off Nat-Control

Hey, I have an older ASA which is running Nat-Control. I'm assuming I can turn this feature off without causing any

network related outages. Since as far as I know, all nat-control does, is require a NAT to be configured between

different interfaces on the ASA? I was hoping if I disable this feature, that the NAT between interfaces requirement will not

be an issue anymore, as far as communication between different interfaces.

1 ACCEPTED SOLUTION

Accepted Solutions

Turning off Nat-Control

Hi John,

Nat-control requires source NAT for the flows initiated from a higher security-level ( ex. 100/inside ) to a lower security-level (ex 0/outside) . Disabling this will allow you to forward the flows without this requirement. The NAT configuration that is already in place will not be afftected by this.

Regards

Dan

5 REPLIES

Turning off Nat-Control

Hi John,

Nat-control requires source NAT for the flows initiated from a higher security-level ( ex. 100/inside ) to a lower security-level (ex 0/outside) . Disabling this will allow you to forward the flows without this requirement. The NAT configuration that is already in place will not be afftected by this.

Regards

Dan

Turning off Nat-Control

    Hello John,

Great answer by Dan, just to add something else, everything will work the only thing that changes as you point it is that you DO NOT need to have a nat rule to allow traffic between different interfaces but you still NEED the ACLs for traffic flowing from lower to higher security levels,

Have a good one

Do rate all the helpful posts

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

Turning off Nat-Control

I did find something interesting, and I believe I have actually read this in a thread on some random side before.

After I turned off nat-control (which happend successfully), When I ran packet-tracer, it was giving me an error,

saying that there was no global NAT for the private network to go to the less secure network so to speak. So

I set up Identity NAT between who hosts in each network and the packet-tracer ran successfully without any

problems. I don't know if this is a guy, or a software version issue.

Turning off Nat-Control

Hi John,

I do not know if packet-tracer takes into account nat-control status when checking the flow permision . My impression is that it does not check it. I have never used packet-tracer with nat-control disabled but I can run a simple test.

Regards

Dan

Turning off Nat-Control

Hi,

(.1) R1 -------10.10.1/24--------- FW ----------10.10.3/24-----------R3 (.1)

===== R1

R1#s ip inter brie | e una

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet1/0            10.10.1.1       YES manual up                    up 

R1#s ip ro | b Gat

Gateway of last resort is 10.10.1.100 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets

C       10.10.1.0 is directly connected, FastEthernet1/0

S*   0.0.0.0/0 [1/0] via 10.10.1.100

R1#

====== R3

R3#s ip inter brie | e una

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet1/0            10.10.3.1       YES manual up                    up 

R3#s ip ro | b Gat

Gateway of last resort is 10.10.3.100 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets

C       10.10.3.0 is directly connected, FastEthernet1/0

S*   0.0.0.0/0 [1/0] via 10.10.3.100

R3#

===== FW

pixfirewall# show ip add

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

Ethernet0                outside                10.10.1.100     255.255.255.0   manual

Ethernet1                inside                 10.10.3.100     255.255.255.0   manual

pixfirewall# sh run access-g

access-group out in interface outside

pixfirewall# sh run access-l

access-list out extended permit ip any any

-====== TEST 1

R1#ping 10.10.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 116/215/376 ms

R1#telnet 10.10.3.1

Trying 10.10.3.1 ... Open

R3#

====== TEST 2

pixfirewall# packet-tracer input outside icmp 10.10.1.1 0 0 10.10.3.1

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.10.3.0       255.255.255.0   inside

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group out in interface outside

access-list out extended permit ip any any

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 46, packet dispatched to next module

Phase: 9

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 10.10.3.1 using egress ifc inside

adjacency Active

next-hop mac address ca02.1838.001c hits 41

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

======= TEST 3

pixfirewall# conf t

pixfirewall(config)#

pixfirewall(config)# nat-control

pixfirewall(config)#

pixfirewall(config)#

pixfirewall(config)#

pixfirewall#packet-tracer input outside icmp 10.10.1.1 0 0 10.10.3.1

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.10.3.0       255.255.255.0   inside

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group out in interface outside

access-list out extended permit ip any any

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 0 0.0.0.0 0.0.0.0

nat-control

  match ip inside any outside any

    no translation group, implicit deny

    policy_hits = 0

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

So packet-tracer consider also nat-control status.

Regards

Dan

805
Views
0
Helpful
5
Replies