Passing traffic

Unanswered Question
Mar 11th, 2009
User Badges:

I have a Cisco PIX 525 with 5 interfaces. 1 is the outside interface with a public address, and there is another public network in the DMZ. Now there are no translations between the DMZ and outside as both contain routable addresses. Now I have created the ACLS, for the outside to get to the DMZ and the traffic works fine. My question is do I need to allow the traffic back from the DMZ or will the traffic be allowed to return due to it being an SPI firewall?


Also do I need a NAT 0 statement for traffic passing from the DMZ to the outside?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 03/11/2009 - 06:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Lewis


Not sure what you mean by no NAT translations. Have you turned NAT off ?


Even using public IP addresses on the DMZ you still need to have a NAT rule for traffic to be allowde from a lower to higher security interface eg. something like


static (dmz,outside) 195.17.10.0 195.17.10.0 netmask 255.255.255.240


So have you turned NAT off or do you have a statement like the one above.


If you have turned NAT off nothing is needed on DMZ interface ie. no nat statement and no acl.


if you have a static statement like the one given above then you don't need to do anything else.


Jon

networker99 Wed, 03/11/2009 - 06:24
User Badges:

We have a NO NAT statement for the DMZ subnet going anywhere

Jon Marshall Wed, 03/11/2009 - 06:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Lewis


What is the actual config to do this on your firewall ?


Are you experiencing any connectvity problems ?


As for the acl you don't one on the DMZ as return traffic from the DMZ to outside will be allowed due to the stateful nature of the firewall and connections from the DMZ can be initiated to a lower security interface.


Only if you wanted to


a) restrict outbound traffic from DMZ


OR


b) allow traffic from DMZ to a higher security interface such as the inside


would you need an acl.


Jon

networker99 Wed, 03/11/2009 - 06:37
User Badges:

I've got it thanks.. I have one other question if you dont mind. We also have an ASA set up with 2 interfaces one with 192.168.1.x and the other with 10.1.10.x, now we have the ACLs configured and traffic can pass between subnets without any NAT statement.. how is this possible?

Jon Marshall Wed, 03/11/2009 - 06:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It may well be that you have nat-control turned off. If you have then you don't need NAT to allow traffic from lower to higher security interface but you still need acl.


Jon

networker99 Wed, 03/11/2009 - 06:56
User Badges:

there is nothing to say it is switched off. This is an ASA running v8.0

Actions

This Discussion