03-11-2009 05:42 AM - edited 03-11-2019 08:03 AM
I have a Cisco PIX 525 with 5 interfaces. 1 is the outside interface with a public address, and there is another public network in the DMZ. Now there are no translations between the DMZ and outside as both contain routable addresses. Now I have created the ACLS, for the outside to get to the DMZ and the traffic works fine. My question is do I need to allow the traffic back from the DMZ or will the traffic be allowed to return due to it being an SPI firewall?
Also do I need a NAT 0 statement for traffic passing from the DMZ to the outside?
03-11-2009 06:05 AM
Lewis
Not sure what you mean by no NAT translations. Have you turned NAT off ?
Even using public IP addresses on the DMZ you still need to have a NAT rule for traffic to be allowde from a lower to higher security interface eg. something like
static (dmz,outside) 195.17.10.0 195.17.10.0 netmask 255.255.255.240
So have you turned NAT off or do you have a statement like the one above.
If you have turned NAT off nothing is needed on DMZ interface ie. no nat statement and no acl.
if you have a static statement like the one given above then you don't need to do anything else.
Jon
03-11-2009 06:24 AM
We have a NO NAT statement for the DMZ subnet going anywhere
03-11-2009 06:27 AM
Lewis
What is the actual config to do this on your firewall ?
Are you experiencing any connectvity problems ?
As for the acl you don't one on the DMZ as return traffic from the DMZ to outside will be allowed due to the stateful nature of the firewall and connections from the DMZ can be initiated to a lower security interface.
Only if you wanted to
a) restrict outbound traffic from DMZ
OR
b) allow traffic from DMZ to a higher security interface such as the inside
would you need an acl.
Jon
03-11-2009 06:37 AM
I've got it thanks.. I have one other question if you dont mind. We also have an ASA set up with 2 interfaces one with 192.168.1.x and the other with 10.1.10.x, now we have the ACLs configured and traffic can pass between subnets without any NAT statement.. how is this possible?
03-11-2009 06:43 AM
It may well be that you have nat-control turned off. If you have then you don't need NAT to allow traffic from lower to higher security interface but you still need acl.
Jon
03-11-2009 06:56 AM
there is nothing to say it is switched off. This is an ASA running v8.0
03-11-2009 07:00 AM
That's because nat-control is disabled by default on ASA with v8.x software -
https://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1753422
Jon
03-11-2009 07:02 AM
Many Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide