Skip to main content

Cisco ASA: What is NAT Control ?

Every product vendors have their own implementation of NAT and terminologies related to it like "Hide-NAT" is associated with Checkpoint firewall while "MIP, DIP & VIP "are associated with Juniper firewall like wise NAT-Control is associated with Cisco PIX/ASA firewall, it's an Cisco way of NAT implementation and understanding NAT-Control concept is highly crucial if you have to deal with PIX/ASA firewall.
NAT functionality provide high level of flexibility while deploying various solutions but this feature is not available in IPv6 off course there is a "NAT-PT" feature available to communication between IPv4 and IPv6.
So Nat-Control is the feature on the PIX/ASA that basically states the following:
       •   NAT-control requires that packets traversing from an inside interface 
           to an outside interface match a NAT rule; for any host on the inside 
           network to access a host on the outside network, you must configure 
           NAT to translate the inside host address.
       •  Interfaces at the same security level are not required to use NAT 
           to communicate. However, if you configure dynamic NAT or PAT on a 
           same security interface with NAT-control enabled, then all traffic from 
           the interface to a same security interface or an outside interface must 
           match a NAT rule.
       •  Similarly, if you enable outside dynamic NAT or PAT with NAT-control,
           then all outside traffic must match a NAT rule when it accesses an inside
           interface.
       •  Static NAT with NAT-control does not cause these restrictions.

NAT-Control and ASA versions

6.3 and lower: With any version lower than 6.3 NAT-control is a requirement that means configuring NAT was mandatory along with an ACL without this traffic won't be allowed to pass thru the firewall.

7.0(1) and higher: NAT-control is disable by default but you could enable it if required that means configuring NAT is not mandatory along with ACL to allow the traffic to flow thru the firewall.

8.3 and higher: NAT-control is disabled by default and cannot be configured that mean NAT is not mandatory along with ACL to allow the traffic to flow thru the firewall and the way NAT is implemented has been change a lot, like you can refer a NAT object into the ACL itself.

new software 8.3(1) and forward the ASA firewall doesnt know any concept of "nat-control" anymore

To enable NAT-control issue below command from enable mode.
hostname(config)# nat-control

To Disable NAT-control issue below command from enable mode.
hostname(config)# no nat-control

To view NAT-control
show running-config nat-control

Note: NAT control does not affect static NAT and does not cause the restrictions seen with dynamic NAT.

Bypassing NAT When NAT Control is Enabled

If you want the added security of NAT control but do not want to translate inside addresses in some cases, you can apply a NAT exemption or identity NAT rule on those addresses.

You can bypass NAT using one of the following three methods. All these method achieve the same result but however, each method offers slightly different capabilities.
  • Identity NAT (nat 0 command)
  • Static identity NAT (static command)
  • NAT exemption (nat 0 access-list command)
Labels:

Comments

Post a Comment

Popular posts from this blog

MTBF MTTR MTTD

Post a Comment
Read more

Juniper SRX : Proxy ARP on Juniper SRX

Proxy ARP ( Address Resolution Protocol ) is a technique by which a intermediate network device like router replies to ARP request for a given IP address that is not part of local network.  The router acts as a proxy for the destination device to which the host wants to communicate and provides its own MAC address as the reply. Note: Proxy ARP can help devices on a network reach remote subnets without the need to configure routing or a default gateway. Disadvantages of Proxy ARP Proxy ARP can lead to security and performance issues on the network.  It poses a security risk by making the network vulnerable to ARP spoofinf attack. In attacks, malicious devices can impersonate proxies. Intercept or modify traffic between devices. It may introduce inconsistency into the network’s topology. Addressing scheme by concealing device locations and identities. Let see when and how proxy ARP is configured in Juniper by answering below questions which often comes to our mind ...
Post a Comment
Read more