From: David Tran (davidtran_mclean@yahoo.com)
Date: Sun Jul 20 2008 - 16:37:22 ART
here is a better way to understand this with an example.
You have an ASA with four interfaces: inside, outside, dmzA and dmzB with
security
level 100, 0, 90 and 80, respectively and that you have "no nat-control"
enable, which is
the default.
Now let say if you do this:
nat (inside) 1 0 0
nat (dmzA) 1 0 0
global (outside) 1 interface]
Now let say you do NOT want to NAT anything between inside, dmzA and dmzB.
If that the case, then you have to do this:
static (inside,dmzA) x.x.x.x x.x.x.x netmask y.y.y.y
static (inside,dmzB) x.x.x.x x.x.x.x netmask y.y.y.y
static (dmzA,dmzB) z.z.z.z z.z.z.z netmask v.v.v.v
or use nat exemption.
The key thing to look for is the number of interfaces and the security level
on
the interfaces themselves
As you can see, things can get complicated very quickly. This is the result
of putting security level on the interface
--- On Sun, 7/20/08, sushil menon <sushilmenon2001@gmail.com> wrote:
From: sushil menon <sushilmenon2001@gmail.com>
Subject: Re: is it true about ASA?
To: "Muhammad Nasim" <muhammad.nasim@gmail.com>
Cc: "Cisco certification" <security@groupstudy.com>, "GS CCIE-Lab"
<ccielab@groupstudy.com>
Date: Sunday, July 20, 2008, 1:49 PM
hi this case all the traffic from the inside will be natted while going on
the outside. even though nat control is disabled. but traffic from dmz to
outside will not be natted since nat-control is disabled.
regards
sushil
On Sun, Jul 20, 2008 at 10:00 PM, Muhammad Nasim
<muhammad.nasim@gmail.com>
wrote:
> Dear All,
>
> Is it true that if we enable pat on ASA for e.g
>
> nat (inside) 1 0 0
> global (outside) 1 interface
>
> Then ASA will behave same as "nat-control" is enabled.
(Although
> nat-control is disabled).
>
>
>
>
> Any inputs and links will be helpful
>
> Thanks
>
>
> --
> Muhammad Nasim
> Network Engineer
> Saudi Arabia
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART