ASA/pix question

marcusbrutus · ‎05-30-2009

Hi. Is it true that i would need both an acl allowing packets from a lower security pix interface and a static nat in order to allow ip traffic to flow from a lower security interface to a higher security interface. The reason i am asking is that i am considering placing some basic servers in a dmz int of my pix with security level of 50. My internal network is within security 0. I want my internal network to access my dmz servers but using only acceptable ports which i will set using an acl going out the dmz interface. But i also need my active directory and other servers to update my workstations within the inside network.

Thanks in advance.

marcusbrutus · ‎05-30-2009

sorry. my inside interface has a security level of 100.

whiteford · ‎05-30-2009

Hi,

I have many DMZ's/VLAN's ff my ASA on lower security levels as the internal is 100 and the internet is 0. However you don't have to use static NAT just set up the correct ACL's/ACE's in your required direction and use NAT exempt's.

Nat Exempt is used when you dont wish to hide/nat your source address from the other end , this scenario is generally used when you want to pass traffic between two private interfaces where even private addresses are routable and you wish to preserve the source header as it is.

I some pros turn off NAT by using "no nat-control", but some feel the nat provides extra security. I think this is off in 8.x anyway. So you may find all you need to do is create the rules between your DMZ's/VLAN's. I say VLAN's as it is common to have a switch connected to your ASA/Pix and create sub-interfaces from that which travel of the trunk port to the switch.

Anyway hopes this helps and plz rate.