I thought I had a pretty solid grasp of the Cisco's firewalls, so this puzzles me.
I always understood access from a lower security interface to a higher security interface required a form of translation or xlate using a static statement. When I use the term translation and xlate the static statement could actually NAT or NOT NAT traffic from the low interface to the high interface.
I'm looking at a firewall configuration where there is no static statements, no globals and no NAT statements and traffic appears to be initiated from the lower interface (security 0) to a higher interface (security 90).
How is this so? Its an ASA5510 running 7.0(6).
Is my understanding completely wrong?
Thanks in advance
is nat-control enabled?
"show run nat-control"
if nat-control is not enabled (the default(unless an upgrade from 6.x has been done)), you do not need nat entries (static or dynamic) for internal hosts (hosts on higher security-level interfaces) to be reached from lower security level interfaces, or for them to initiate outbound traffic. This feature is new with 7.x.
If nat-control is enabled, then it behaves like 6.x and its predecessors, and nat entries are required for anything going from a higher security level interface to a lower level interface.