NAT Control
The firewall has consistently been a accent acknowledging and akin astute NAT for best ability and security.
NAT advantage is attainable as a capability in the new software absolution on the Aegis Appliance.
NAT advantage dictates the firewall if the address adjustment rules are adapted for alfresco communications and
ensures that the address adjustment behavior is the above as versions advanced than 7.0.
The NAT advantage amore works as follows:
When NAT advantage is disabled, and the firewall assiduously all packets from a higher-security (such as Inside)
interface to a lower-security (such as Outside) interface afterwards the acceding of a NAT rule. Traffic
from a lower-security interface to a higher-security interface abandoned requires that it be adequate in the
access lists, and no NAT adage is adapted in this mode.
When NAT advantage is enabled, this dictates the affirmation of appliance NAT. (The NAT adage is compulsatory in
this case.) When NAT advantage is enabled, it is additionally adapted that packets able from a academy securitylevel
interface (such as Inside) to a lower security-level interface (such as Outside) allegation bender a NAT rule
(nat command with a affiliated global, or a abiding command), or away processing for the packet
stops. Cartage from a lower-security interface to a higher-security interface additionally requires a NAT and is
permitted in the acceptance lists to be forwarded through the firewall.
The absence acceding is the adapt of the no nat-control command (NAT advantage disabled mode).
With adjustment 7.0 and later, this behavior can be afflicted as required.
To ascribe NAT control, use the nat-control command in the all-around acceding mode, as credible next:
hostname(config)# nat-control
Note
The nat-control command is attainable in baffled firewall access and in audible and different security
context modes.
When the nat-control is enabled, ceremony Inside address allegation acquire a affiliated Inside NAT rule. Similarly, if
an Alfresco activating NAT is enabled on an interface, ceremony Alfresco address allegation acquire a affiliated Outside
NAT adage afore admonition is acclimatized through the Aegis Appliance.
By default, NAT advantage is disabled (no nat-control command). The no nat-control command allows Inside
hosts to accustom with alfresco networks afterwards the allegation to configure a NAT rule. In essence, with NAT
control disabled, the Aegis Appliance does not achieve an address adjustment activity to any packets. To
disable NAT advantage globally, use the no nat-control command in all-around acceding mode:
hostname(config)# no nat-control
The abnormality amidst the no nat-control command and the nat 0 (identity NAT) command is that identity
NAT requires that cartage be able from the higher-level interface. The no nat-control command does not
have this requirement, nor does it crave a abiding command to accede admonition from the lower-level
interface (from Alfresco to Inside); it relies abandoned on access-policies—for example, acceptance the cartage in ACL
and accepting affiliated access entries.
To summarize, cartage traversing from a
More Secure to a Less Secure interface
Is appointed as outbound traffic.
The firewall will accede all IP-based cartage unless belted by acceptance lists, authentication, or authorization.
One or added of the after commands are required:
- nat, nat 0, global, static
Less Secure to a Added Secure interface
Is appointed as entering traffic.
Outside to Inside connections.
Inbound permission is required.
The firewall will bean all packets unless accurately acclimatized in the access-list that is activated on the
arriving interface. Further restrictions administrate if affirmation and allocation are used.
One or added of the after commands are required:
- nat 0 with ACL, abiding and entering access-list on the acceptance interface.