Cisco Systems ASA 5545-X, ASA 5505, ASA 5555-X, ASA 5585-X NAT Control and Same Security Traffic

Chapter 6 Configuring NAT (ASA 8.2 and Earlier)

NAT Overview

Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule, as shown in Figure 6-4.

Figure 6-4 NAT Control and Same Security Traffic

Similarly, if you enable outside dynamic NAT or PAT, then all outside traffic must match a NAT rule when it accesses an inside interface (see Figure 6-5).

Static NAT does not cause these restrictions.

By default, NAT control is disabled; therefore, you do not need to perform NAT on any networks unless you want to do so. If you upgraded from an earlier version of software, however, NAT control might be enabled on your system. Even with NAT control disabled, you need to perform NAT on any addresses for which you configure dynamic NAT. See the “Dynamic NAT Implementation” section on page 6-17for more information about how dynamic NAT is applied.

If you want the added security of NAT control but do not want to translate inside addresses in some cases, you can apply a NAT exemption or identity NAT rule on those addresses. (See the “Using NAT Exemption” section on page 6-33for more information).

To configure NAT control, see the “Configuring NAT Control” section on page 6-16.

Note In multiple context mode, the packet classifier might rely on the NAT configuration to assign packets to contexts if you do not enable unique MAC addresses for shared interfaces. See the “How the ASA Classifies Packets” section on page 8-3in the general operations configuration guide for more information about the relationship between the classifier and NAT.

Cisco ASA Series Firewall ASDM Configuration Guide

6-5