Similarly, if
an Outside dynamic NAT is enabled on an interface, each Outside address must have a corresponding Outside
NAT rule before communication is allowed through the Security Appliance.
By default, NAT control is disabled (no nat-control command). The no nat-control command allows Inside
hosts to communicate with outside networks without the need to configure a NAT rule. In essence, with NAT
control disabled, the Security Appliance does not perform an address translation function to any packets. To
disable NAT control globally, use the no nat-control command in global configuration mode:
hostname(config)# no nat-control
The difference between the no nat-control command and the nat 0 (identity NAT) command is that identity
NAT requires that traffic be initiated from the higher-level interface. The no nat-control command does not
have this requirement, nor does it require a static command to allow communication from the lower-level
interface (from Outside to Inside); it relies only on access-policies??”for example, permitting the traffic in ACL
and having corresponding route entries.
To summarize, traffic traversing from a
More Secure to a Less Secure interface
Is designated as outbound traffic.
Pages:
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297