nat-control

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Post Reply
Guest

nat-control

Post by Guest » Sun Jan 02, 2011 10:06 am

Hi All,Can someone explain me what is the use of command nat-control and no nat-controm on ASA. As I am newbie to ASA.I tried to search a lot on internet but I didn simple and explainative answer Please can anyone help me outThanks

Guest

Re:nat-control

Post by Guest » Sun Jan 02, 2011 10:52 am

Hello, nat-control (or no nat-control) is a way of enforcing the NAT requirementson the Cisco Firewall (pre 8.3 code versions). If you configure nat-control,then the firewall enforce the rule that every packet going from highersecurity to lower security needs a NAT rule configured. If you configure "nonat-control", then the firewall will not enforce the NAT requirement as longas you have not configured any NAT rule for a specific traffic flow on thatinterface. http://www.cisco.com/en/US/products/ps6 ... l#backinfo Hope this helps. Regards, NT

Guest

Re:nat-control

Post by Guest » Sun Jan 02, 2011 11:47 am

Thanks for your fast responseI would like to let you know that the link you provided is not availableWhat I understand from your explanation  when we dont want to use NAT from High Security-level interface to low security interface level. For instance. from inside to dmz.Can you give me an example for further clarification. Thanks I really appreciate

Guest

Re:nat-control

Post by Guest » Sun Jan 02, 2011 12:41 pm

Hello, Here is the link again: http://tinyurl.com/dmvylq So, essentially, when you disable nat-control, you are allowed to go fromhigher security interface to lower security interface without NAT. Forexample, let us say you have a public IP range on your inside network andDMZ network. Then, you actually do not need any NAT. So, you could disableNAT control. The other scenario I can think of is if you have firewall justto protect different network segments and you have a different device thatis handling NAT. In that case, again you can use "no nat-control".  http://tinyurl.com/6gcquh Hope this helps. Regards, NT

Guest

Re:nat-control

Post by Guest » Sun Jan 02, 2011 2:03 pm

Hi,Assume that I have internal hosts and I want to allow them to access a Web Server residing in DMZ segment, And this server has Private IP address for eg:172.16.1.5. Therfore in that case I can use exempt nat, this is what explaination I got after surfing on the web. Please advice.

Post Reply