With the original PIX firewall models, all traffic traversing a Cisco Firewall between inside to outside (higher security level to lower security level) had to match a NAT rule, otherwise the traffic was blocked. For example, in order for an inside web client host to access an outside web server host, there should have been a NAT translation rule matching the inside traffic to be translated to an outside address. 

So what about “NO NAT-CONTROL” ? This feature impacts traffic not described in NAT statements. All the NAT features still work as described … the impact is to the address space not descibed by NAT … If “no nat-control” is configured on the firewall, then traffic which does not match a nat rule it is no longer blocked. All ACL’s, security level rules, statefullness, etc. now can traverse the PIX/ASA. For the traffic that does not match a NAT rule, the firewall acts as a router forwarding the traffic according to the ACL restrictions only.

Related posts:

1. Configuring NAT on Cisco IOS Routers
2. How to Configure a Cisco ASA 5510 Firewall – Basic Configuration Tutorial
3. Series of Steps to Forward a packet in a Cisco ASA Firewall
4. Cisco ASA Firewall with PPPoE
5. Packet capture and sniffing using the Cisco ASA Firewall
6. How can we allow whole traffic in ASA from inside to outside
7. How to configure Cisco Router with IOS Firewall Functionality – CBAC