So in 8.2 code we had this concept of nat-control that when enabled required a nat translation from higher to lower security level interfaces. Fine, no problems. When we disable this feature via "no nat-control" we no longer have that requirement. One caveat to that is that apparently even with nat-control disabled, if you enable dynamic nat/pat on an interface then you must either nat or bypass nat for all traffic sourced from the addresses in the dynamic nat.
Specifically, in the configuration guide "Even with NAT control disabled, you need to perform NAT on any addresses for which you configure dynamic NAT" Now, I have a question. Does this apply to dynamic outside NAT, and specifically dynamic outside policy nat? The config guide states "Similarly, if you enable outside dynamic NAT or PAT, then all outside traffic must match a NAT rule when it accesses an inside interface." but does not mention anything about dynamic policy outside NAT. I ask because I see the following happening. I have nat-control disabled. ASA# sh run | i nat|global global (inside) 1 192.168.10.88-192.168.10.92 netmask 255.255.255.248 global (inside) 1 192.168.10.93 global (inside) 1 192.168.10.94 nat (outside) 1 access-list DYNAMIC_POLICY_NAT outside This configuration works great -- traffic matching the ACL "DYNAMIC_POLICY_NAT" is dynamic NAT' to the pool. When the pool is exhausted traffic is NAT/PAT. However, everything continues to work. In other words, traffic originating on the outside interface passes through to the inside interface with no NAT rule or NAT exemption configured. Is this the expected behavior? Thank You! -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
