Skip to main content

Cisco ASA: What is NAT Control ?

Every product vendors have their own implementation of NAT and terminologies related to it like "Hide-NAT" is associated with Checkpoint firewall while "MIP, DIP & VIP "are associated with Juniper firewall like wise NAT-Control is associated with Cisco PIX/ASA firewall, it's an Cisco way of NAT implementation and understanding NAT-Control concept is highly crucial if you have to deal with PIX/ASA firewall.
NAT functionality provide high level of flexibility while deploying various solutions but this feature is not available in IPv6 off course there is a "NAT-PT" feature available to communication between IPv4 and IPv6.
So Nat-Control is the feature on the PIX/ASA that basically states the following:
       •   NAT-control requires that packets traversing from an inside interface 
           to an outside interface match a NAT rule; for any host on the inside 
           network to access a host on the outside network, you must configure 
           NAT to translate the inside host address.
       •  Interfaces at the same security level are not required to use NAT 
           to communicate. However, if you configure dynamic NAT or PAT on a 
           same security interface with NAT-control enabled, then all traffic from 
           the interface to a same security interface or an outside interface must 
           match a NAT rule.
       •  Similarly, if you enable outside dynamic NAT or PAT with NAT-control,
           then all outside traffic must match a NAT rule when it accesses an inside
           interface.
       •  Static NAT with NAT-control does not cause these restrictions.

NAT-Control and ASA versions

6.3 and lower: With any version lower than 6.3 NAT-control is a requirement that means configuring NAT was mandatory along with an ACL without this traffic won't be allowed to pass thru the firewall.

7.0(1) and higher: NAT-control is disable by default but you could enable it if required that means configuring NAT is not mandatory along with ACL to allow the traffic to flow thru the firewall.

8.3 and higher: NAT-control is disabled by default and cannot be configured that mean NAT is not mandatory along with ACL to allow the traffic to flow thru the firewall and the way NAT is implemented has been change a lot, like you can refer a NAT object into the ACL itself.

new software 8.3(1) and forward the ASA firewall doesnt know any concept of "nat-control" anymore

To enable NAT-control issue below command from enable mode.
hostname(config)# nat-control

To Disable NAT-control issue below command from enable mode.
hostname(config)# no nat-control

To view NAT-control
show running-config nat-control

Note: NAT control does not affect static NAT and does not cause the restrictions seen with dynamic NAT.

Bypassing NAT When NAT Control is Enabled

If you want the added security of NAT control but do not want to translate inside addresses in some cases, you can apply a NAT exemption or identity NAT rule on those addresses.

You can bypass NAT using one of the following three methods. All these method achieve the same result but however, each method offers slightly different capabilities.
  • Identity NAT (nat 0 command)
  • Static identity NAT (static command)
  • NAT exemption (nat 0 access-list command)
Labels:

Comments

Post a Comment

Popular posts from this blog

MTBF MTTR MTTD

Post a Comment
Read more

Cisco ASA on GNS3

My struggle for installing Cisco ASA on GNS3 lead me to write this procedure which is already floating around in various versions around the internet but this attempt was to write a concise and still informative  procedure to configure Cisco ASA successfully on GNS3. The relevant snapshots will be updated shortly  :-)
Post a Comment
Read more