With the original PIX firewall models, all traffic traversing a Cisco Firewall between inside to outside (higher security level to lower security level) had to match a NAT rule, otherwise the traffic was blocked. For example, in order for an inside web client host to access an outside web server host, there should have been a NAT translation rule matching the inside traffic to be translated to an outside address.
So what about “NO NAT-CONTROL” ? This feature impacts traffic not described in NAT statements. All the NAT features still work as described … the impact is to the address space not descibed by NAT … If “no nat-control” is configured on the firewall, then traffic which does not match a nat rule it is no longer blocked. All ACL’s, security level rules, statefullness, etc. now can traverse the PIX/ASA. For the traffic that does not match a NAT rule, the firewall acts as a router forwarding the traffic according to the ACL restrictions only.
So what about “NO NAT-CONTROL” ? This feature impacts traffic not described in NAT statements. All the NAT features still work as described … the impact is to the address space not descibed by NAT … If “no nat-control” is configured on the firewall, then traffic which does not match a nat rule it is no longer blocked. All ACL’s, security level rules, statefullness, etc. now can traverse the PIX/ASA. For the traffic that does not match a NAT rule, the firewall acts as a router forwarding the traffic according to the ACL restrictions only.
