Solved: Access from low security interface to high security interface

timkaye · ‎12-18-2007

Hi all.

I thought I had a pretty solid grasp of the Cisco's firewalls, so this puzzles me.

I always understood access from a lower security interface to a higher security interface required a form of translation or xlate using a static statement. When I use the term translation and xlate the static statement could actually NAT or NOT NAT traffic from the low interface to the high interface.

I'm looking at a firewall configuration where there is no static statements, no globals and no NAT statements and traffic appears to be initiated from the lower interface (security 0) to a higher interface (security 90).

How is this so? Its an ASA5510 running 7.0(6).

Is my understanding completely wrong?

Thanks in advance

srue · ‎12-18-2007

is nat-control enabled?

"show run nat-control"

if nat-control is not enabled (the default(unless an upgrade from 6.x has been done)), you do not need nat entries (static or dynamic) for internal hosts (hosts on higher security-level interfaces) to be reached from lower security level interfaces, or for them to initiate outbound traffic. This feature is new with 7.x.

If nat-control is enabled, then it behaves like 6.x and its predecessors, and nat entries are required for anything going from a higher security level interface to a lower level interface.

View solution in original post

ccbootcamp · ‎12-18-2007

You'll need an ACL allowing the traffic.

-brad

www.ccbootcamp.com

(please rate the post if this helps!)

timkaye · ‎12-18-2007

Hi Brad,

Thanks for the reply.

I'm aware of access-lists requring to permit/deny traffic. There is an ACl bound to both interfaces, and I can see it being matched only from low to high.

I don't recall every seeing a firewall with just acl's bound and no translations.

ccbootcamp · ‎12-18-2007

What about between your DMZ and INSIDE interfaces? That's a pretty standard situation to not have any translations, don't ya think?

-brad

www.ccbootcamp.com

(please rate the post if this helps!)

timkaye · ‎12-18-2007

Agreed.

But i've always achieved this using a static statement which simply exposes the inside network to the dmz with no address translation.

inside 10.1.10.x

DMZ 10.1.20.x

static (inside,dmz) 10.1.10.0 10.1.10.0 netmask 255.255.255.0

Cisco's command reference indicates traffic between low to high requires a static.

srue · ‎12-18-2007

is nat-control enabled?

"show run nat-control"

if nat-control is not enabled (the default(unless an upgrade from 6.x has been done)), you do not need nat entries (static or dynamic) for internal hosts (hosts on higher security-level interfaces) to be reached from lower security level interfaces, or for them to initiate outbound traffic. This feature is new with 7.x.

If nat-control is enabled, then it behaves like 6.x and its predecessors, and nat entries are required for anything going from a higher security level interface to a lower level interface.

timkaye · ‎12-18-2007

Hey there.

Thanks for the response. It's not configured (enabled). Explains it then.

Someone has configured a firewall with all the statics, with nat-control not enabled. WHY WHY WHY!!

NAT-CONTROL WHY WHY WHY!!!

srue · ‎12-19-2007

glad i could help...

(and thanks for the rating)...