From: Jason W. Miller (jaymiller5@gmail.com)
Date: Mon Jul 21 2008 - 07:27:29 ART
Here are configuration examples given multiple deployment methods as well as
the logging doing a catch all "nat (inside) 1 0 0 and global (o) 1 int" as
well as other configs.
outside security 0 183.1.100.12
inside security 100 192.10.1.12
dmz security 50 10.0.0.12
*Your question*
no nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
!
pinging from inside 192.10.1.8 to the dmz host 10.0.0.100
Jul 20 2008 23:10:03 Rack1ASA : %ASA-3-305006: portmap translation creation
failed for icmp src inside:192.10.1.8 dst dmz:10.0.0.100 (type 8, code 0)
As you can see per your question it requires the nat/pat mapping because
your doing a nat (inside) 1 0 0 on the inside interface so no matter what
the source IP is hitting the inside interface it requires a translation
going to lower security level interface.
*Config to not have to have a static from a specific subnet to the dmz given
security levels and no nat etc.*
no nat-control
global (outside) 1 interface
nat (inside) 1 183.1.10.0 255.255.255.0
!
pinging from the same 192.10.1.8 host to the dmz
Jul 20 2008 23:24:48 Rack1ASA : %ASA-6-302020: Built ICMP connection for
faddr 10.0.0.100/0 gaddr 192.10.1.8/11 laddr 192.10.1.8/11
As you can see here this works going from the inside 192.10.1.8 (which is
not in your nat statement) to the 10.0.0.100 sourcing the traffic from a
network other then 183.1.10/24.
*And now with nat-control enabled via the configuration "nat-control"*
nat-control
global (outside) 1 interface
nat (inside) 1 183.1.10.0 255.255.255.0
**
pinging from the same 192.10.1.8 host to the dmz
Jul 20 2008 23:26:57 Rack1ASA : %ASA-3-305005: No translation group found
for icmp src inside:192.10.1.8 dst dmz:10.0.0.100 (type 8, code 0)
Jul 20 2008 23:26:59 Rack1ASA : %ASA-3-305005: No translation group found
for icmp src inside:192.10.1.8 dst dmz:10.0.0.100 (type 8, code 0)
Jul 20 2008 23:27:01 Rack1ASA : %ASA-3-305005: No translation group found
for icmp src inside:192.10.1.8 dst dmz:10.0.0.100 (type 8, code 0)
*And now with a specific inside/dmz nat configured with nat control enabled
globally*
nat-control
global (outside) 1 interface
nat (inside) 1 183.1.10.0 255.255.255.0
!
static (inside,dmz) 192.10.1.8 192.10.1.8 netmask 255.255.255.255
** pinging from the same 192.10.1.8 host to the dmz
Jul 20 2008 23:30:26 Rack1ASA : %ASA-6-302020: Built ICMP connection for
faddr 10.0.0.100/0 gaddr 192.10.1.8/14 laddr 192.10.1.8/14
**
On Mon, Jul 21, 2008 at 3:21 AM, Muhammad Nasim <muhammad.nasim@gmail.com>
wrote:
> Thanks for your comments but I want to mention what I understand
>
> Let suppose I have following four sites on my ASA
>
> 1. OUTSIDE -----------0
> 2.INSIDE -----------100
> 3.DMZ -----------50
> 4. WAN-SITES -----------------75
>
> "*no nat-control*" is there,
>
> nat (inside) 1 0 0
> global (outside) 1 interface
>
> *1- Inside -----to-------outside *is PATTING. Done understand : )
>
> *2- Inside------to--------DMZ*
> Here I have to do NAT EXEMPTION or identity nat using static because I
> don't
> want inside users to natted when going to DMZ zone so I will do
> static(inside,dmz) x.x.x.x x.x.x.x nemask y.y.y.y
>
> 3-*Inside------to--------WAN-SITES*
> Here I have to do NAT EXEMPTION or identity nat using static because I
> don't
> want inside users to natted when going to WAN-SITES zone so I will do
> static(inside,dmz) x.x.x.x x.x.x.x nemask y.y.y.y
>
> For rest of the traffic I do not need any nat exemption or identity nat
> using static becasue I did not enable "nat-control". For Inside to any
> lower
> security level I have to nat-exemption or static becasue I did PATTING from
> inside to outside
>
>
> Is my understanding correct please confirm?
>
> Thanks
>
>
>
> 2008/7/21 sushil menon <sushilmenon2001@gmail.com>:
>
> > hi nasim one thing i am pretty sure is that when having no nat-control
> > enabled globally which is by default and then when u do a nat (inside) 1
> 0 0
> > with global (ouside) 1 interface
> >
> > this only means natting for all the sources originating on the inside to
> > the patted when going to the outside.
> >
> > however if u are having 2 other interfaces lets say dmz1 and dmz2 with
> dmz1
> > with higher security level then for traffic going from dmz1 to dmz2
> requires
> > no nat cause by default higher to lower traffic is allowed and no
> > nat-control is enabled by default so no natting is required.
> >
> > the reason cisco came out with the no nat-control thing was to reduce the
> > configuration .
> > so with no nat-control u only need to enable nat for the required subnets
> > and rest can go untranslated .
> >
> > regards
> >
> > sushil
> >
> >
> > On Mon, Jul 21, 2008 at 5:14 AM, verb2300@yahoo.com <verb2300@yahoo.com>
> > wrote:
> >
> >> No, a nat statement is not the same as nat control. You are matching all
> >> traffic entering your inside interface with a nat statement. That's it.
> Nat
> >> control is global and applies to all traffic sourced from a higher
> security
> >> interface to a lower security interface making a nat statement a
> requirment
> >> for traffic flows. If you really want to understand look at the
> difference
> >> between pix code 6.3 and 7.0 specifically the implementation of MPF.
> >>
> >> Muhammad Nasim wrote:
> >> > Dear All,
> >> > Is it true that if we enable pat on ASA for e.g
> >> > nat (inside) 1 0 0
> >> > global (outside) 1 interface
> >> > Then ASA will behave same as "nat-control" is enabled. (Although
> >> > nat-control is disabled).
> >> > Any inputs and links will be helpful
> >> > Thanks
> >> > --
> >> > Muhammad Nasim
> >> > Network Engineer
> >> > Saudi Arabia
> >>
> >>
> >
>
>
> --
> Muhammad Nasim
> Network Engineer
> Saudi Arabia
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART