cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
581
Views
0
Helpful
8
Replies

Passing traffic

networker99
Level 1
Level 1

I have a Cisco PIX 525 with 5 interfaces. 1 is the outside interface with a public address, and there is another public network in the DMZ. Now there are no translations between the DMZ and outside as both contain routable addresses. Now I have created the ACLS, for the outside to get to the DMZ and the traffic works fine. My question is do I need to allow the traffic back from the DMZ or will the traffic be allowed to return due to it being an SPI firewall?

Also do I need a NAT 0 statement for traffic passing from the DMZ to the outside?

8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

Lewis

Not sure what you mean by no NAT translations. Have you turned NAT off ?

Even using public IP addresses on the DMZ you still need to have a NAT rule for traffic to be allowde from a lower to higher security interface eg. something like

static (dmz,outside) 195.17.10.0 195.17.10.0 netmask 255.255.255.240

So have you turned NAT off or do you have a statement like the one above.

If you have turned NAT off nothing is needed on DMZ interface ie. no nat statement and no acl.

if you have a static statement like the one given above then you don't need to do anything else.

Jon

We have a NO NAT statement for the DMZ subnet going anywhere

Lewis

What is the actual config to do this on your firewall ?

Are you experiencing any connectvity problems ?

As for the acl you don't one on the DMZ as return traffic from the DMZ to outside will be allowed due to the stateful nature of the firewall and connections from the DMZ can be initiated to a lower security interface.

Only if you wanted to

a) restrict outbound traffic from DMZ

OR

b) allow traffic from DMZ to a higher security interface such as the inside

would you need an acl.

Jon

I've got it thanks.. I have one other question if you dont mind. We also have an ASA set up with 2 interfaces one with 192.168.1.x and the other with 10.1.10.x, now we have the ACLs configured and traffic can pass between subnets without any NAT statement.. how is this possible?

It may well be that you have nat-control turned off. If you have then you don't need NAT to allow traffic from lower to higher security interface but you still need acl.

Jon

there is nothing to say it is switched off. This is an ASA running v8.0

That's because nat-control is disabled by default on ASA with v8.x software -

https://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1753422

Jon

Many Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: