This is a very easy concept, the answer is yes... Look for RPF check... U need to be careful that there are no asymmetric nat rules.
Sent from my iPhone On Dec 19, 2012, at 10:19 AM, "Joe Astorino" <[email protected]> wrote: > Nobody? > > On Thu, Dec 13, 2012 at 4:18 PM, Joe Astorino <[email protected]> > wrote: >> So in 8.2 code we had this concept of nat-control that when enabled >> required a nat translation from higher to lower security level >> interfaces. Fine, no problems. When we disable this feature via "no >> nat-control" we no longer have that requirement. One caveat to that >> is that apparently even with nat-control disabled, if you enable >> dynamic nat/pat on an interface then you must either nat or bypass nat >> for all traffic sourced from the addresses in the dynamic nat. >> >> Specifically, in the configuration guide "Even with NAT control >> disabled, you need to perform NAT on any addresses for which you >> configure dynamic NAT" >> >> Now, I have a question. Does this apply to dynamic outside NAT, and >> specifically dynamic outside policy nat? The config guide states >> "Similarly, if you enable outside dynamic NAT or PAT, then all outside >> traffic must match a NAT rule when it accesses an inside interface." >> but does not mention anything about dynamic policy outside NAT. >> >> I ask because I see the following happening. I have nat-control disabled. >> >> ASA# sh run | i nat|global >> global (inside) 1 192.168.10.88-192.168.10.92 netmask 255.255.255.248 >> global (inside) 1 192.168.10.93 >> global (inside) 1 192.168.10.94 >> nat (outside) 1 access-list DYNAMIC_POLICY_NAT outside >> >> This configuration works great -- traffic matching the ACL >> "DYNAMIC_POLICY_NAT" is dynamic NAT' to the pool. When the pool is >> exhausted traffic is NAT/PAT. However, everything continues to work. >> In other words, traffic originating on the outside interface passes >> through to the inside interface with no NAT rule or NAT exemption >> configured. Is this the expected behavior? >> >> Thank You! >> >> >> -- >> Regards, >> >> Joe Astorino >> CCIE #24347 >> http://astorinonetworks.com >> >> "He not busy being born is busy dying" - Dylan > > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
