Firewalling - Basic Doubt- plz help

Answered Question
Jun 13th, 2009

Dear Friends,

I have a doubt regarding the firewalling concepts. lets say, I have a brand new firewall, with two interfaces (inside and outside). I configured IP addresses on both the interfaces, access lists for inside access and outside access, and applied those ACL's on the appropriate interfaces in the " in" direction. SO far I have not configured any NAT statements.

for your information,

Outside IP addresse :- 100.100.100.1/30 (this interface is connected to a router)

Inside IP address :- 10.64.3.1

I heard that PIX firewall will not allow traffic to pass from outside interface to inside interface unless explicitly permitted. in this scenario I tried to ping from the router which is connected to to the outside of the PIX firewall to a host connected in the inside (10.64.3.10). It was not pinging first, and I permitted ICMP any any on the inside and outside directions, it started working. without any nat, NAT0, static statements, how it is possible?

Please help on understainding this.

I have this problem too.
0 votes
Correct Answer by trevora about 7 years 5 months ago

By default NAT-CONTROL is disabled, which means that if there is L3 connectivity from outside to inside then you are not forced to use nat. In your case the router most likely knew how to get to your inside network addresses via a static route. This is fine in your test lab but you would not be able to do this over the internet to a pvt address range.

If you were not able to advertise your routes on the outside then you would use a static nat and advertise the nat address. Remember that you will need to open ACL access for the NAT address on the outside ACL to allow incomming access as the ACL is evaluate before NAT takes place.

If you enable NAT-CONTORL then you will have to NAT everything, in and out. Generally the only time you will not use NAT-CONTROL is if you have public IP's inside that are routable by your outside network.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
trevora Mon, 06/15/2009 - 03:00

By default NAT-CONTROL is disabled, which means that if there is L3 connectivity from outside to inside then you are not forced to use nat. In your case the router most likely knew how to get to your inside network addresses via a static route. This is fine in your test lab but you would not be able to do this over the internet to a pvt address range.

If you were not able to advertise your routes on the outside then you would use a static nat and advertise the nat address. Remember that you will need to open ACL access for the NAT address on the outside ACL to allow incomming access as the ACL is evaluate before NAT takes place.

If you enable NAT-CONTORL then you will have to NAT everything, in and out. Generally the only time you will not use NAT-CONTROL is if you have public IP's inside that are routable by your outside network.

sudheesh.pb Mon, 06/15/2009 - 10:32

Thanks for the information. I tried by enabling the NAT-CONTROL and found that if translation is not there, its blocking by an implict deny. Thanks once again.

Actions

This Discussion