When you say "traffic originating on the outside interface passes through to the inside interface with no NAT rule or NAT exemption configured" are you talking about traffic that matches access-list DYNAMIC_POLICY_NAT or all traffic? I think "However, everything continues to work" statement is throwing me, implying that you do something that should trigger things not to work.
Brian -----Original Message----- From: Joe Astorino [mailto:[email protected]] Sent: Wednesday, December 19, 2012 9:20 AM To: OSL Security Subject: Re: [OSL | CCIE_Security] nat-control + dynamic NAT Nobody? On Thu, Dec 13, 2012 at 4:18 PM, Joe Astorino <[email protected]> wrote: > So in 8.2 code we had this concept of nat-control that when enabled > required a nat translation from higher to lower security level > interfaces. Fine, no problems. When we disable this feature via "no > nat-control" we no longer have that requirement. One caveat to that > is that apparently even with nat-control disabled, if you enable > dynamic nat/pat on an interface then you must either nat or bypass nat > for all traffic sourced from the addresses in the dynamic nat. > > Specifically, in the configuration guide "Even with NAT control > disabled, you need to perform NAT on any addresses for which you > configure dynamic NAT" > > Now, I have a question. Does this apply to dynamic outside NAT, and > specifically dynamic outside policy nat? The config guide states > "Similarly, if you enable outside dynamic NAT or PAT, then all outside > traffic must match a NAT rule when it accesses an inside interface." > but does not mention anything about dynamic policy outside NAT. > > I ask because I see the following happening. I have nat-control disabled. > > ASA# sh run | i nat|global > global (inside) 1 192.168.10.88-192.168.10.92 netmask 255.255.255.248 > global (inside) 1 192.168.10.93 > global (inside) 1 192.168.10.94 > nat (outside) 1 access-list DYNAMIC_POLICY_NAT outside > > This configuration works great -- traffic matching the ACL > "DYNAMIC_POLICY_NAT" is dynamic NAT' to the pool. When the pool is > exhausted traffic is NAT/PAT. However, everything continues to work. > In other words, traffic originating on the outside interface passes > through to the inside interface with no NAT rule or NAT exemption > configured. Is this the expected behavior? > > Thank You! > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan ________________________________ CONFIDENTIALITY NOTICE: This electronic mail message is intended exclusively for recipient to which it is addressed. The contents of this message and any attachments may contain confidential and privileged information. Any unauthorized review, use, print, storage, copy, disclosure or distribution is strictly prohibited. If you have received this message in error, please advise the sender immediately by replying to the message's sender and delete all copies of this message and its attachments without disclosing the contents to anyone, or using the contents for any purpose. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
