ASA NAT control
NAT control, when enabled on an ASA, requires that packets traversing from an INSIDE interface to an OUTSIDE interface match a NAT rule. If no NAT rule is matched, the packet is dropped.
If it is disabled, then this matching is not a requirement, and the packet can be forwarded and routed without a NAT translation (assuming it passes any other checks that have been implemented on the ASA).
The CLI command to enable this feature is the following:
The corresponding configuration parameter when using ASDM is the checkbox labeled “Enable traffic through the firewall without address translation” found under Configuration --> Firewall -->NAT Rules.