06-13-2009 11:18 AM - edited 03-11-2019 08:43 AM
Dear Friends,
I have a doubt regarding the firewalling concepts. lets say, I have a brand new firewall, with two interfaces (inside and outside). I configured IP addresses on both the interfaces, access lists for inside access and outside access, and applied those ACL's on the appropriate interfaces in the " in" direction. SO far I have not configured any NAT statements.
for your information,
Outside IP addresse :- 100.100.100.1/30 (this interface is connected to a router)
Inside IP address :- 10.64.3.1
I heard that PIX firewall will not allow traffic to pass from outside interface to inside interface unless explicitly permitted. in this scenario I tried to ping from the router which is connected to to the outside of the PIX firewall to a host connected in the inside (10.64.3.10). It was not pinging first, and I permitted ICMP any any on the inside and outside directions, it started working. without any nat, NAT0, static statements, how it is possible?
Please help on understainding this.
Solved! Go to Solution.
06-15-2009 03:00 AM
By default NAT-CONTROL is disabled, which means that if there is L3 connectivity from outside to inside then you are not forced to use nat. In your case the router most likely knew how to get to your inside network addresses via a static route. This is fine in your test lab but you would not be able to do this over the internet to a pvt address range.
If you were not able to advertise your routes on the outside then you would use a static nat and advertise the nat address. Remember that you will need to open ACL access for the NAT address on the outside ACL to allow incomming access as the ACL is evaluate before NAT takes place.
If you enable NAT-CONTORL then you will have to NAT everything, in and out. Generally the only time you will not use NAT-CONTROL is if you have public IP's inside that are routable by your outside network.
06-15-2009 03:00 AM
By default NAT-CONTROL is disabled, which means that if there is L3 connectivity from outside to inside then you are not forced to use nat. In your case the router most likely knew how to get to your inside network addresses via a static route. This is fine in your test lab but you would not be able to do this over the internet to a pvt address range.
If you were not able to advertise your routes on the outside then you would use a static nat and advertise the nat address. Remember that you will need to open ACL access for the NAT address on the outside ACL to allow incomming access as the ACL is evaluate before NAT takes place.
If you enable NAT-CONTORL then you will have to NAT everything, in and out. Generally the only time you will not use NAT-CONTROL is if you have public IP's inside that are routable by your outside network.
06-15-2009 10:32 AM
Thanks for the information. I tried by enabling the NAT-CONTROL and found that if translation is not there, its blocking by an implict deny. Thanks once again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide