Cisco ASA Firewall requiring a static nat statement when NAT-Control is off

In released version 8.2 and before, the Cisco ASA 5500 platform gave the user a choice to enable NAT-Control or not. When NAT-Control was enabled, every IP had to have a NAT statement to traverse the firewall, even if it was translated to itself. I found that even thought NAT-Control was off, I still needed a static NAT statement for an individual subnet to work. With out the NAT statement, the traffic was blocked.

I found that I had a Global statement for this subnet so those devices could go to the internet and be translated to a single public IP. Those same devices were trying to access resources in a DMZ with a lower security level.

I found the following documentation from Cisco.com that explains why I needed the static NAT statement with NAT-Control shut off.

“When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group
of addresses when they access any lower or same security level interface; you must apply a global
command with the same NAT ID on each interface, or use a static command. NAT is not required for
that group when it accesses a higher security interface because to perform NAT from outside to inside
you must create a separate nat command using the outside keyword. If you do apply outside NAT, then
the NAT requirements preceding come into effect for that group of addresses when they access all higher
security interfaces. Traffic identified by a static command is not affected.”

See the following commands for this example:
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 outside
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)# static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
hostname(config)# global (outside) 1 172.16.1.3-172.16.1.4
hostname(config)# global (inside) 1 10.1.2.30-1-10.1.2.40

Just because NAT-Control is off, don’t assume you don’t need that static NAT statement!!!


This entry was posted in Network Security by Scape. Bookmark the permalink.

About Scape

Over 10 Years in the networking field. Have worked in the Service provider and Enterprise environments. I have worked with Cisco, Foundry/Brocade, F5, Riverbed, Scientific Atlanta, Routers, Switches, Firewalls, Load Balancers, WAN Accelerators, DWDM, SONET, Multicast etc...

Leave a Reply