Solved

ASA-NAT-Control feature

Posted on 2011-09-23
6
1,075 Views
Last Modified: 2012-05-12
Hi,

I am getting confuse about NAT-Control feature..
What is basic poins about NAT-Control.
I have  read that it is disabled by default in ASA box.If i disable this feature with no-form how the ASA behaviour changes

Give me the difference btn Nat-control and no-nat control features in a understanble manner
to me with any simple example

Regards
ramu
0
Comment
Question by:RAMU CH
  • 3
  • 3
6 Comments
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
Comment Utility
As per cisco:

The nat-control command on the PIX/ASA specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global or a static statement) for that traffic to pass through the firewall. The nat-control command ensures that the translation behavior is the same as PIX Firewall versions earlier than 7.0. The default configuration of PIX/ASA version 7.0 and later is the specification of the no nat-control command. With PIX/ASA version 7.0 and later, you can change this behavior when you issue the nat-control command.

With nat-control disabled, the PIX/ASA forwards packets from a higher-security interface to a lower one without a specific translation entry in the configuration. In order to pass traffic from a lower security interface to a higher one, use access lists to permit the traffic. The PIX/ASA then forwards the traffic. This document focuses on the PIX/ASA security appliance behavior with nat-control enabled.

Note: If you want to remove or disable the nat-control statement in the PIX/ASA, you need to remove all NAT statements from the security appliance. In general, you need to remove the NAT before you turn off NAT control. You have to reconfigure the NAT statement in PIX/ASA to work as expected.


Source: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#backinfo
0
 
LVL 1

Author Comment

by:RAMU CH
Comment Utility
Hi Erniebeek,

What is Twic NAT.
Whar is Identity NAt and what conditions we use Twice NAT & identity NAT

Regards
ramu
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
Comment Utility
Hi Ramu,

Twice NAT lets you identify both the source and destination address in a single rule.
The destination address is optional. If you specify the destination address, you can either map it to itself
(identity NAT), or you can map it to a different address. The destination mapping is always a static
mapping.

Have a look at:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_rules.pdf
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Assisted Solution

by:RAMU CH
RAMU CH earned 0 total points
Comment Utility
Hi eriebeek,

Will you clarify me more as i am not getting what is the diffrence between normat NAT nadd Twice NAT.

Regards
ramu
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 250 total points
Comment Utility
Ok,

Main Differences Between Network Object NAT and Twice NAT
The main differences between these two NAT types are:
• How you define the real address.
– Network object NAT—You define NAT as a parameter for a network object; the network object
definition itself provides the real address. This method lets you easily add NAT to network
objects. The objects can also be used in other parts of your configuration, for example, for
access rules or even in twice NAT rules.
– Twice NAT—You identify a network object or network object group for both the real and
mapped addresses. In this case, NAT is not a parameter of the network object; the network object
or group is a parameter of the NAT configuration. The ability to use a network object group for
the real address means that twice NAT is more scalable.
• How source and destination NAT is implemented.
– Network object NAT— Each rule can apply to either the source or destination of a packet. So
two rules might be used, one for the source IP address, and one for the destination IP address.
These two rules cannot be tied together to enforce a specific translation for a source/destination
combination.
– Twice NAT—A single rule translates both the source and destination. A matching packet only
matches the one rule, and further rules are not checked. Even if you do not configure the
optional destination address for twice NAT, a matching packet still only matches one twice NAT
rule. The source and destination are tied together, so you can enforce different translations
depending on the source/destination combination. For example, sourceA/destinationA can have
a different translation than sourceA/destinationB.
• Order of NAT Rules.
– Network object NAT—Automatically ordered in the NAT table.
– Twice NAT—Manually ordered in the NAT table (before or after network object NAT rules).
See the “NAT Rule Order” section on page 27-19 for more information.
We recommend using network object NAT unless you need the extra features that twice NAT provides.
Network object NAT is easier to configure, and might be more reliable for applications such as Voice
over IP (VoIP). (For VoIP, because twice NAT is applicable only between two objects, you might see a
failure in the translation of indirect addresses that do not belong to either of the objects.)

Got that from:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.pdf
0
 
LVL 1

Author Closing Comment

by:RAMU CH
Comment Utility
Thanks
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now