RE: is it true about ASA?

From: Swap (ccie77@gmail.com)
Date: Mon Jul 21 2008 - 12:42:00 ART

• Next message: Sadiq Yakasai: "Re: tunnel recursive routing"
• Previous message: Doan Dung Chi: "Re: tunnel recursive routing"
• Maybe in reply to: Muhammad Nasim: "is it true about ASA?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

That's not fully true. Two things on this -

With no nat-control, if you enable nat/pat on inside, it has nothing to do
with traffic between DMZ and outside. No-nat ctrl will allow traffic between
dmz and outside without any nat/static if ACLS permit.

AND if nat (inside) 1 0 0 is configured, this means that all traffic to and
from inside interface to any other interface will need nat/static. Don't
look at global in this case. Even if DMZ interface doesn't have a global for
nat id 1, traffic to between DMZ and inside require a nat/static.

Sushil is correct in what he wrote.

HTH

Swap
#19804

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jason W. Miller
Sent: Sunday, July 20, 2008 11:17 PM
To: Muhammad Nasim
Cc: sushil menon; Cisco certification; GS CCIE-Lab
Subject: Re: is it true about ASA?

It is documented that once you enable PAT/NAT globally on any 1 interfcae
its the default bahavior on all interfaces. You can lab this up and validate
this as well.

And the giant thread does begin ;-)

On Sun, Jul 20, 2008 at 3:08 PM, Muhammad Nasim <muhammad.nasim@gmail.com>
wrote:

> Now here is the Conflict b/w sushil and jason : )
>
> OK lets put another way
>
>
> *PATTING ON ANY INTERFACE* = "*NAT-CONTROL" command on the ASA. *
>
> I think logically speaking if any one have to do patting on any interface
> it is better to enable "nat-control" so there will no confusion any more :
)
>
> AM I correct
>
> Please confirm
>
>
>
>
> 2008/7/20 Jason W. Miller <jaymiller5@gmail.com>:
>
> No true once you enable PAT/NAT globally on the device the default
>> behavior on all interfaces is nat-control.
>>
>>
>>
>> On Sun, Jul 20, 2008 at 1:49 PM, sushil menon <sushilmenon2001@gmail.com>
>> wrote:
>>
>>> hi this case all the traffic from the inside will be natted while going
>>> on
>>> the outside. even though nat control is disabled. but traffic from dmz
to
>>> outside will not be natted since nat-control is disabled.
>>>
>>> regards
>>>
>>> sushil
>>>
>>> On Sun, Jul 20, 2008 at 10:00 PM, Muhammad Nasim <
>>> muhammad.nasim@gmail.com>
>>> wrote:
>>>
>>> > Dear All,
>>> >
>>> > Is it true that if we enable pat on ASA for e.g
>>> >
>>> > nat (inside) 1 0 0
>>> > global (outside) 1 interface
>>> >
>>> > Then ASA will behave same as "nat-control" is enabled. (Although
>>> > nat-control is disabled).
>>> >
>>> >
>>> >
>>> >
>>> > Any inputs and links will be helpful
>>> >
>>> > Thanks
>>> >
>>> >
>>> > --
>>> > Muhammad Nasim
>>> > Network Engineer
>>> > Saudi Arabia
>>>
>>>
>>
>
>
> --
> Muhammad Nasim
> Network Engineer
> Saudi Arabia

• Next message: Sadiq Yakasai: "Re: tunnel recursive routing"
• Previous message: Doan Dung Chi: "Re: tunnel recursive routing"
• Maybe in reply to: Muhammad Nasim: "is it true about ASA?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART