From: sushil menon (sushilmenon2001@gmail.com)
Date: Mon Jul 21 2008 - 04:01:00 ART
hi nasim one thing i am pretty sure is that when having no nat-control
enabled globally which is by default and then when u do a nat (inside) 1 0 0
with global (ouside) 1 interface
this only means natting for all the sources originating on the inside to the
patted when going to the outside.
however if u are having 2 other interfaces lets say dmz1 and dmz2 with dmz1
with higher security level then for traffic going from dmz1 to dmz2 requires
no nat cause by default higher to lower traffic is allowed and no
nat-control is enabled by default so no natting is required.
the reason cisco came out with the no nat-control thing was to reduce the
configuration .
so with no nat-control u only need to enable nat for the required subnets
and rest can go untranslated .
regards
sushil
On Mon, Jul 21, 2008 at 5:14 AM, verb2300@yahoo.com <verb2300@yahoo.com>
wrote:
> No, a nat statement is not the same as nat control. You are matching all
> traffic entering your inside interface with a nat statement. That's it. Nat
> control is global and applies to all traffic sourced from a higher security
> interface to a lower security interface making a nat statement a requirment
> for traffic flows. If you really want to understand look at the difference
> between pix code 6.3 and 7.0 specifically the implementation of MPF.
>
> Muhammad Nasim wrote:
> > Dear All,
> > Is it true that if we enable pat on ASA for e.g
> > nat (inside) 1 0 0
> > global (outside) 1 interface
> > Then ASA will behave same as "nat-control" is enabled. (Although
> > nat-control is disabled).
> > Any inputs and links will be helpful
> > Thanks
> > --
> > Muhammad Nasim
> > Network Engineer
> > Saudi Arabia
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART