nat-control

As I wrote in my last post, I’m working on a PIX to ASA migration.

One of the things that came up when I checked the PIX config is nat-control. What is it doing and should I use it in my ASA? Reading this post will answer some of the questions.

Historically, PIX required NAT translation for traffic flowing from one interface to another. It all changed in PIX 7.0 when Cisco added the nat-control command which let you configure your PIX\ASA to allow traffic to flow across without the usage of NAT.

How does it work?
You should decide using the nat-control command in configuration mode to specify if NAT is required for outside communications. When NAT control is enabled, configuration of NAT rules is required in order to allow outbound traffic, as is the case with earlier versions of PIX software (older than 7.0).
If NAT control is disabled (using no nat-control), inside hosts can communicate with outside networks without the configuration of a NAT rule as long as they have valid public addresses.

This is how it looks in ASDM:

Per Cisco, there are 2 required policies for outbound traffic without NAT

1. Translation method – this can be a static translation with the static command, or a dynamic translation with a nat or global rule.
2. Access control list (ACL) – If an ACL is present, then it must allow the source host access to the destination host with the use of the specific protocol and port.

To figure out if nat-control is enabled or disabled, use this simple show command:

show run nat-control

When enabled, the output would be

nat-control

When disabled it will show

no nat-control

To sum, newer PIX\ASA do not need require NAT configuration and you have the option to disable nat-control. You should figure out the types of connections you pass through your firewall and make a decision if you want to enable or disable nat-control. At least you have the option 😉

40.668167 -73.980064