Nobody? On Thu, Dec 13, 2012 at 4:18 PM, Joe Astorino <[email protected]> wrote: > So in 8.2 code we had this concept of nat-control that when enabled > required a nat translation from higher to lower security level > interfaces. Fine, no problems. When we disable this feature via "no > nat-control" we no longer have that requirement. One caveat to that > is that apparently even with nat-control disabled, if you enable > dynamic nat/pat on an interface then you must either nat or bypass nat > for all traffic sourced from the addresses in the dynamic nat. > > Specifically, in the configuration guide "Even with NAT control > disabled, you need to perform NAT on any addresses for which you > configure dynamic NAT" > > Now, I have a question. Does this apply to dynamic outside NAT, and > specifically dynamic outside policy nat? The config guide states > "Similarly, if you enable outside dynamic NAT or PAT, then all outside > traffic must match a NAT rule when it accesses an inside interface." > but does not mention anything about dynamic policy outside NAT. > > I ask because I see the following happening. I have nat-control disabled. > > ASA# sh run | i nat|global > global (inside) 1 192.168.10.88-192.168.10.92 netmask 255.255.255.248 > global (inside) 1 192.168.10.93 > global (inside) 1 192.168.10.94 > nat (outside) 1 access-list DYNAMIC_POLICY_NAT outside > > This configuration works great -- traffic matching the ACL > "DYNAMIC_POLICY_NAT" is dynamic NAT' to the pool. When the pool is > exhausted traffic is NAT/PAT. However, everything continues to work. > In other words, traffic originating on the outside interface passes > through to the inside interface with no NAT rule or NAT exemption > configured. Is this the expected behavior? > > Thank You! > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan
-- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
