I am using an ASA-5540 strickly for IPsec VPN lan-2-lan tunnels and will never be NATing outbound as we have a public Class-B address space.
Since I'm never going to be NATing, can I disable the nat 0 and no-nat funcationality completely so that the ASDM doesn't always supply a no nat line for every ACL entry? I'll have 100s of host and network objects and don't want to no-nat any of them.
I believe you can accomplish this through the use of no nat-control command in ASA, I personaly have not faced this scenario but have read about it , look into the nat-control disabling/enabling command and its purpose, I think it should provide you with what you are looking for.
Looks like you simply need to disable NAT on the firewall, you should have some lines like below.
nat (inside) 0 access-list natzero
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list natzero
nat (DMZ) 1 0.0.0.0 0.0.0.0
you can remove access-list part and this will remove natzero config, if you need to remove NAT all together then you may want to remove nat statements all together. however you need to look for traffic between different segments as removing NAT from firewall completely is not a good idea.
like someone already said, the 'no nat-control' command is what you're looking for. If you need to nat anything at a later time, you can still do so. the 'no nat-control' command doesn't mean you can't nat, only that you don't have to nat.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...