Verifying NAT-Control

NAT control you say? What is this crazy feature and why does it control NAT? NAT control is a feature in which requires a NAT rule before traffic is permit by the ASA, it has to create a NAT translation, if there isn’t a matching translation rule it will drop the packet.

NAT control was the default behavior for software versions earlier than Version 7.0, which requires NAT rules for creation of xlate records, with NAT control enabled a xlate record or NAT rule has to exist before the ASA with permit the traffic.

We can verify if NAT control, using the following command

SC#show running-config nat-control
no nat-control

The above output verifies that nat-control is off on this ASA. Years ago this feature might have been helpful, but I find it just makes the ASA configuration complex. Probably why Cisco has disabled by default in newer versions and even removed the feature all together in ASA version 8.3.1.

You have watch out for this feature, as there are times where it can catch you off guard, you might think there is something wrong with your access-list, when it was only nat-control preventing the xlate from being created in the first place.

If the hitcnt counter isn’t increasing on your access-list, check nat-control.

Dec 3rd, 2010 • Posted in ASA, NAT, Routing
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>