NAT Control

The firewall has always been a device supporting and even requiring NAT for maximum flexibility and security. NAT control is available as a capability in the new software release on the Security Appliance.

NAT control dictates the firewall if the address translation rules are required for outside communications and ensures that the address translation behavior is the same as versions earlier than 7.0.

The NAT control feature works as follows:

• When NAT control is disabled, and the firewall forwards all packets from a higher-security (such as Inside) interface to a lower-security (such as Outside) interface without the configuration of a NAT rule. Traffic from a lower-security interface to a higher-security interface only requires that it be permitted in the access lists, and no NAT rule is required in this mode.
• When NAT control is enabled, this dictates the requirement of using NAT. (The NAT rule is compulsory in this case.) When NAT control is enabled, it is also required that packets initiated from a higher security-level interface (such as Inside) to a lower security-level interface (such as Outside) must match a NAT rule (nat command with a corresponding global, or a static command), or else processing for the packet stops. Traffic from a lower-security interface to a higher-security interface also requires a NAT and is permitted in the access lists to be forwarded through the firewall.
  
  
  Example NO NAT with NAT control enable:
           static (Higher security-level IF, Lower security-level IF) 10.10.10.1 10.10.10.1 netmask 255.255.255.255

The default configuration is the specification of the no nat-control command (NAT control disabled mode). With version 7.0 and later, this behavior can be changed as required.

To enable NAT control, use the nat-control command in the global configuration mode, as shown next:

hostname(config)# nat-control

Note

The nat-control command is available in routed firewall mode and in single and multiple security context modes.

When the nat-control is enabled, each Inside address must have a corresponding Inside NAT rule. Similarly, if an Outside dynamic NAT is enabled on an interface, each Outside address must have a corresponding Outside NAT rule before communication is allowed through the Security Appliance.

By default, NAT control is disabled (no nat-control command). The no nat-control command allows Inside hosts to communicate with outside networks without the need to configure a NAT rule. In essence, with NAT control disabled, the Security Appliance does not perform an address translation function to any packets. To disable NAT control globally, use the no nat-control command in global configuration mode:

hostname(config)# no nat-control

The difference between the no nat-control command and the nat 0 (identity NAT) command is that identity NAT requires that traffic be initiated from the higher-level interface. The no nat-control command does not have this requirement, nor does it require a static command to allow communication from the lower-level interface (from Outside to Inside); it relies only on access-policies—for example, permitting the traffic in ACL and having corresponding route entries.

To summarize, traffic traversing from a

More Secure to a Less Secure interface

• Is designated as outbound traffic.
• The firewall will allow all IP-based traffic unless restricted by access lists, authentication, or authorization.
• One or more of the following commands are required:

  - nat, nat 0, global, static

Less Secure to a More Secure interface

• Is designated as inbound traffic.
• Outside to Inside connections.
• Inbound permission is required.
• The firewall will drop all packets unless specifically allowed in the access-list that is applied on the arriving interface. Further restrictions apply if authentication and authorization are used.
• One or more of the following commands are required:

  - nat 0 with ACL, static and inbound access-list on the ingress interface.