Access from low security interface to high security interface

Answered Question

Hi all.


I thought I had a pretty solid grasp of the Cisco's firewalls, so this puzzles me.


I always understood access from a lower security interface to a higher security interface required a form of translation or xlate using a static statement. When I use the term translation and xlate the static statement could actually NAT or NOT NAT traffic from the low interface to the high interface.


I'm looking at a firewall configuration where there is no static statements, no globals and no NAT statements and traffic appears to be initiated from the lower interface (security 0) to a higher interface (security 90).


How is this so? Its an ASA5510 running 7.0(6).


Is my understanding completely wrong?


Thanks in advance

Correct Answer by srue about 9 years 4 months ago

is nat-control enabled?

"show run nat-control"


if nat-control is not enabled (the default(unless an upgrade from 6.x has been done)), you do not need nat entries (static or dynamic) for internal hosts (hosts on higher security-level interfaces) to be reached from lower security level interfaces, or for them to initiate outbound traffic. This feature is new with 7.x.

If nat-control is enabled, then it behaves like 6.x and its predecessors, and nat entries are required for anything going from a higher security level interface to a lower level interface.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ccbootcamp Tue, 12/18/2007 - 19:48
User Badges:
  • Gold, 750 points or more

What about between your DMZ and INSIDE interfaces? That's a pretty standard situation to not have any translations, don't ya think?


-brad

www.ccbootcamp.com

(please rate the post if this helps!)

Agreed.


But i've always achieved this using a static statement which simply exposes the inside network to the dmz with no address translation.


inside 10.1.10.x

DMZ 10.1.20.x

static (inside,dmz) 10.1.10.0 10.1.10.0 netmask 255.255.255.0


Cisco's command reference indicates traffic between low to high requires a static.

Correct Answer
srue Tue, 12/18/2007 - 20:16
User Badges:
  • Blue, 1500 points or more

is nat-control enabled?

"show run nat-control"


if nat-control is not enabled (the default(unless an upgrade from 6.x has been done)), you do not need nat entries (static or dynamic) for internal hosts (hosts on higher security-level interfaces) to be reached from lower security level interfaces, or for them to initiate outbound traffic. This feature is new with 7.x.

If nat-control is enabled, then it behaves like 6.x and its predecessors, and nat entries are required for anything going from a higher security level interface to a lower level interface.

srue Wed, 12/19/2007 - 05:26
User Badges:
  • Blue, 1500 points or more

glad i could help...

(and thanks for the rating)...

Actions

This Discussion