Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
0
Helpful
2
Replies

Firewalling - Basic Doubt- plz help

Go to solution
sudheesh.pb
Level 1
Level 1

‎06-13-2009 11:18 AM - edited ‎03-11-2019 08:43 AM

Dear Friends,

I have a doubt regarding the firewalling concepts. lets say, I have a brand new firewall, with two interfaces (inside and outside). I configured IP addresses on both the interfaces, access lists for inside access and outside access, and applied those ACL's on the appropriate interfaces in the " in" direction. SO far I have not configured any NAT statements.

for your information,

Outside IP addresse :- 100.100.100.1/30 (this interface is connected to a router)

Inside IP address :- 10.64.3.1

I heard that PIX firewall will not allow traffic to pass from outside interface to inside interface unless explicitly permitted. in this scenario I tried to ping from the router which is connected to to the outside of the PIX firewall to a host connected in the inside (10.64.3.10). It was not pinging first, and I permitted ICMP any any on the inside and outside directions, it started working. without any nat, NAT0, static statements, how it is possible?

Please help on understainding this.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
trevora
Level 1
Level 1

‎06-15-2009 03:00 AM

By default NAT-CONTROL is disabled, which means that if there is L3 connectivity from outside to inside then you are not forced to use nat. In your case the router most likely knew how to get to your inside network addresses via a static route. This is fine in your test lab but you would not be able to do this over the internet to a pvt address range.

If you were not able to advertise your routes on the outside then you would use a static nat and advertise the nat address. Remember that you will need to open ACL access for the NAT address on the outside ACL to allow incomming access as the ACL is evaluate before NAT takes place.

If you enable NAT-CONTORL then you will have to NAT everything, in and out. Generally the only time you will not use NAT-CONTROL is if you have public IP's inside that are routable by your outside network.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
trevora
Level 1
Level 1

‎06-15-2009 03:00 AM

By default NAT-CONTROL is disabled, which means that if there is L3 connectivity from outside to inside then you are not forced to use nat. In your case the router most likely knew how to get to your inside network addresses via a static route. This is fine in your test lab but you would not be able to do this over the internet to a pvt address range.

If you were not able to advertise your routes on the outside then you would use a static nat and advertise the nat address. Remember that you will need to open ACL access for the NAT address on the outside ACL to allow incomming access as the ACL is evaluate before NAT takes place.

If you enable NAT-CONTORL then you will have to NAT everything, in and out. Generally the only time you will not use NAT-CONTROL is if you have public IP's inside that are routable by your outside network.

0 Helpful

Go to solution
sudheesh.pb
Level 1
Level 1
In response to trevora

‎06-15-2009 10:32 AM

Thanks for the information. I tried by enabling the NAT-CONTROL and found that if translation is not there, its blocking by an implict deny. Thanks once again.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card