Thanks for replying Brian. When I say traffic originating on the outside interface passes through to the inside with no NAT rule or exemption I mean all other traffic that is not matched by the access-list.
In other words, the dynamic policy outside nat is working as it should but in addition to that any other outside initiated traffic gets passed through the firewall fine without doing anything else. On Wed, Dec 19, 2012 at 1:57 PM, Brian Hooker <[email protected]> wrote: > When you say "traffic originating on the outside interface passes through to > the inside interface with no NAT rule or NAT exemption configured" are you > talking about traffic that matches access-list DYNAMIC_POLICY_NAT or all > traffic? I think "However, everything continues to work" statement is > throwing me, implying that you do something that should trigger things not to > work. > > Brian > > > -----Original Message----- > From: Joe Astorino [mailto:[email protected]] > Sent: Wednesday, December 19, 2012 9:20 AM > To: OSL Security > Subject: Re: [OSL | CCIE_Security] nat-control + dynamic NAT > > Nobody? > > On Thu, Dec 13, 2012 at 4:18 PM, Joe Astorino <[email protected]> > wrote: >> So in 8.2 code we had this concept of nat-control that when enabled >> required a nat translation from higher to lower security level >> interfaces. Fine, no problems. When we disable this feature via "no >> nat-control" we no longer have that requirement. One caveat to that >> is that apparently even with nat-control disabled, if you enable >> dynamic nat/pat on an interface then you must either nat or bypass nat >> for all traffic sourced from the addresses in the dynamic nat. >> >> Specifically, in the configuration guide "Even with NAT control >> disabled, you need to perform NAT on any addresses for which you >> configure dynamic NAT" >> >> Now, I have a question. Does this apply to dynamic outside NAT, and >> specifically dynamic outside policy nat? The config guide states >> "Similarly, if you enable outside dynamic NAT or PAT, then all outside >> traffic must match a NAT rule when it accesses an inside interface." >> but does not mention anything about dynamic policy outside NAT. >> >> I ask because I see the following happening. I have nat-control disabled. >> >> ASA# sh run | i nat|global >> global (inside) 1 192.168.10.88-192.168.10.92 netmask 255.255.255.248 >> global (inside) 1 192.168.10.93 >> global (inside) 1 192.168.10.94 >> nat (outside) 1 access-list DYNAMIC_POLICY_NAT outside >> >> This configuration works great -- traffic matching the ACL >> "DYNAMIC_POLICY_NAT" is dynamic NAT' to the pool. When the pool is >> exhausted traffic is NAT/PAT. However, everything continues to work. >> In other words, traffic originating on the outside interface passes >> through to the inside interface with no NAT rule or NAT exemption >> configured. Is this the expected behavior? >> >> Thank You! >> >> >> -- >> Regards, >> >> Joe Astorino >> CCIE #24347 >> http://astorinonetworks.com >> >> "He not busy being born is busy dying" - Dylan > > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan > > > ________________________________ > > CONFIDENTIALITY NOTICE: > This electronic mail message is intended exclusively for > recipient to which it is addressed. The contents of this message > and any attachments may contain confidential and privileged > information. Any unauthorized review, use, print, storage, copy, > disclosure or distribution is strictly prohibited. If you have > received this message in error, please advise the sender > immediately by replying to the message's sender and delete all > copies of this message and its attachments without disclosing > the contents to anyone, or using the contents for any purpose. -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
