Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

static statement still needed with "no nat-control"

Before version 7.0 when accessing hosts on a high security interface from hosts from a lower security interface, you had to specify a static (lower,higher) ipA ipA command, even if not NAT was involved.

Is this still true for V7.0 when using the "no nat-control" statement?


Re: static statement still needed with "no nat-control"

with the command "nat-control" disabled, no nat/pat is required for traffic from lower security level to higher security level. the only configuration required is the acl.

Re: static statement still needed with "no nat-control"

Hi. I'm Javad Noorjamali

My Web Site


Re: static statement still needed with "no nat-control"


With no-nat control, you do not have to configure static or nat/pat for inbound (lower to higher security , for example outside to inside) or outbound (higher to lower, for example inside to outside). Basically the NAT engine will be bypassed all together.

However, keep in mind that if you decide to configure NAT/PAT or static even though you have no nat-control configured, the packets will be checked against the NAT/PAT, and static rule. If there is a match, translation will take place just as pre 7.0 version. If there is no match on the other hand unlike pre 7.0 version, packet will not be dropped, rather will be passed untranslated.

Hope this helps !

Mynul Hoda

CISSP, CCIE # 9159

Author: Cisco Network Security Troubleshooting -

CreatePlease login to create content