From: Muhammad Nasim (muhammad.nasim@gmail.com)
Date: Mon Jul 21 2008 - 04:21:10 ART
Thanks for your comments but I want to mention what I understand
Let suppose I have following four sites on my ASA
1. OUTSIDE -----------0
2.INSIDE -----------100
3.DMZ -----------50
4. WAN-SITES -----------------75
"*no nat-control*" is there,
nat (inside) 1 0 0
global (outside) 1 interface
*1- Inside -----to-------outside *is PATTING. Done understand : )
*2- Inside------to--------DMZ*
Here I have to do NAT EXEMPTION or identity nat using static because I don't
want inside users to natted when going to DMZ zone so I will do
static(inside,dmz) x.x.x.x x.x.x.x nemask y.y.y.y
3-*Inside------to--------WAN-SITES*
Here I have to do NAT EXEMPTION or identity nat using static because I don't
want inside users to natted when going to WAN-SITES zone so I will do
static(inside,dmz) x.x.x.x x.x.x.x nemask y.y.y.y
For rest of the traffic I do not need any nat exemption or identity nat
using static becasue I did not enable "nat-control". For Inside to any lower
security level I have to nat-exemption or static becasue I did PATTING from
inside to outside
Is my understanding correct please confirm?
Thanks
2008/7/21 sushil menon <sushilmenon2001@gmail.com>:
> hi nasim one thing i am pretty sure is that when having no nat-control
> enabled globally which is by default and then when u do a nat (inside) 1 0 0
> with global (ouside) 1 interface
>
> this only means natting for all the sources originating on the inside to
> the patted when going to the outside.
>
> however if u are having 2 other interfaces lets say dmz1 and dmz2 with dmz1
> with higher security level then for traffic going from dmz1 to dmz2 requires
> no nat cause by default higher to lower traffic is allowed and no
> nat-control is enabled by default so no natting is required.
>
> the reason cisco came out with the no nat-control thing was to reduce the
> configuration .
> so with no nat-control u only need to enable nat for the required subnets
> and rest can go untranslated .
>
> regards
>
> sushil
>
>
> On Mon, Jul 21, 2008 at 5:14 AM, verb2300@yahoo.com <verb2300@yahoo.com>
> wrote:
>
>> No, a nat statement is not the same as nat control. You are matching all
>> traffic entering your inside interface with a nat statement. That's it. Nat
>> control is global and applies to all traffic sourced from a higher security
>> interface to a lower security interface making a nat statement a requirment
>> for traffic flows. If you really want to understand look at the difference
>> between pix code 6.3 and 7.0 specifically the implementation of MPF.
>>
>> Muhammad Nasim wrote:
>> > Dear All,
>> > Is it true that if we enable pat on ASA for e.g
>> > nat (inside) 1 0 0
>> > global (outside) 1 interface
>> > Then ASA will behave same as "nat-control" is enabled. (Although
>> > nat-control is disabled).
>> > Any inputs and links will be helpful
>> > Thanks
>> > --
>> > Muhammad Nasim
>> > Network Engineer
>> > Saudi Arabia
>>
>>
>
-- Muhammad Nasim Network Engineer Saudi Arabia
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART