NAT Control (8.2 and below)

This is the first stepping stone when you start getting into the nitty-gritty details about NAT. Here is how an ASA exactly behaves when NAT control is enabled or disabled.

NAT Control is nothing but the function used to enforce the use of NAT in ASA. By default, this feature is turned off, so NAT is not required for transit traffic. But when it is turned on, NAT is enforced.

NAT control – disabled (The default)

  • No NAT required at all!
  • Except for outbound traffic destined to the ISP because they block RFC 1918 IP addresses and hence the packets will be dropped at the ISP’s end if you don’t translate it. But if you are using public IPs in your internal network then again NAT is not required.

      NAT control – enabled

  • NAT control requires that packet traversing the ASA in any direction match a NAT rule.
  • For same-security-traffic interface, NAT is not required if there isn’t any NAT rule applied on those interfaces. If there is a NAT rule applied say, an outbound NAT, then NAT becomes mandatory on that interface (this ones a little tricky).
Those of you who have migrated to 8.3 and above you need not worry about NAT-control! Although, here’s what you need to worry about;-)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s