Nat Control - Cisco 7604 Configuration Manual

Chapter 16 Configuring NAT

NAT Control

NAT control requires that packets traversing from an inside interface to an outside interface match a NAT
rule; for any host on the inside network to access a host on the outside network, you must configure NAT
to translate the inside host address. (See
Figure 16-3
10.1.1.1
10.1.2.1
Interfaces at the same security level are not required to use NAT to communicate. However, if you
configure dynamic NAT or PAT on a same security interface with NAT control enabled, then all traffic
from the interface to a same security interface or an outside interface must match a NAT rule. (See
Figure
Figure 16-4
10.1.1.1
Similarly, if you enable outside dynamic NAT or PAT with NAT control, then all outside traffic must
match a NAT rule when it accesses an inside interface. (See
Figure 16-5
FWSM
No NAT
209.165.202.129
Outside
Static NAT with NAT control does not cause these restrictions.
By default, NAT control is disabled, so you do not need to perform NAT on any networks unless you
choose to perform NAT. If you upgraded from an earlier version of software, however, NAT control
might be enabled on your system.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
NAT Control and Outbound Traffic
FWSM
209.165.201.1
NAT
No NAT
Inside Outside
16-4.)
NAT Control and Same Security Traffic
FWSM
10.1.1.1
No NAT
Level 50 Level 50
NAT Control and Inbound Traffic
209.165.202.129
Inside
Figure 16-3.)
FWSM
10.1.1.1 Dyn. NAT
No NAT
10.1.2.1
Level 50
Figure
FWSM
Dyn. NAT
209.165.202.129
No NAT
209.165.200.240
Outside
NAT Overview
209.165.201.1
Level 50
or
Outside
16-5.)
10.1.1.50
Inside
16-5