Traffic
from a lower-security interface to a higher-security interface only requires that it be permitted in the
access lists, and no NAT rule is required in this mode.
When NAT control is enabled, this dictates the requirement of using NAT. (The NAT rule is compulsory in
this case.) When NAT control is enabled, it is also required that packets initiated from a higher securitylevel
interface (such as Inside) to a lower security-level interface (such as Outside) must match a NAT rule
(nat command with a corresponding global, or a static command), or else processing for the packet
stops. Traffic from a lower-security interface to a higher-security interface also requires a NAT and is
permitted in the access lists to be forwarded through the firewall.
The default configuration is the specification of the no nat-control command (NAT control disabled mode).
With version 7.0 and later, this behavior can be changed as required.
To enable NAT control, use the nat-control command in the global configuration mode, as shown next:
hostname(config)# nat-control
Note
The nat-control command is available in routed firewall mode and in single and multiple security
context modes.
When the nat-control is enabled, each Inside address must have a corresponding Inside NAT rule.
Pages:
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296