Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access from low security interface to high security interface

Hi all.

I thought I had a pretty solid grasp of the Cisco's firewalls, so this puzzles me.

I always understood access from a lower security interface to a higher security interface required a form of translation or xlate using a static statement. When I use the term translation and xlate the static statement could actually NAT or NOT NAT traffic from the low interface to the high interface.

I'm looking at a firewall configuration where there is no static statements, no globals and no NAT statements and traffic appears to be initiated from the lower interface (security 0) to a higher interface (security 90).

How is this so? Its an ASA5510 running 7.0(6).

Is my understanding completely wrong?

Thanks in advance

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Access from low security interface to high security interfac

is nat-control enabled?

"show run nat-control"

if nat-control is not enabled (the default(unless an upgrade from 6.x has been done)), you do not need nat entries (static or dynamic) for internal hosts (hosts on higher security-level interfaces) to be reached from lower security level interfaces, or for them to initiate outbound traffic. This feature is new with 7.x.

If nat-control is enabled, then it behaves like 6.x and its predecessors, and nat entries are required for anything going from a higher security level interface to a lower level interface.

7 REPLIES

Re: Access from low security interface to high security interfac

You'll need an ACL allowing the traffic.

-brad

www.ccbootcamp.com

(please rate the post if this helps!)

New Member

Re: Access from low security interface to high security interfac

Hi Brad,

Thanks for the reply.

I'm aware of access-lists requring to permit/deny traffic. There is an ACl bound to both interfaces, and I can see it being matched only from low to high.

I don't recall every seeing a firewall with just acl's bound and no translations.

Re: Access from low security interface to high security interfac

What about between your DMZ and INSIDE interfaces? That's a pretty standard situation to not have any translations, don't ya think?

-brad

www.ccbootcamp.com

(please rate the post if this helps!)

New Member

Re: Access from low security interface to high security interfac

Agreed.

But i've always achieved this using a static statement which simply exposes the inside network to the dmz with no address translation.

inside 10.1.10.x

DMZ 10.1.20.x

static (inside,dmz) 10.1.10.0 10.1.10.0 netmask 255.255.255.0

Cisco's command reference indicates traffic between low to high requires a static.

Gold

Re: Access from low security interface to high security interfac

is nat-control enabled?

"show run nat-control"

if nat-control is not enabled (the default(unless an upgrade from 6.x has been done)), you do not need nat entries (static or dynamic) for internal hosts (hosts on higher security-level interfaces) to be reached from lower security level interfaces, or for them to initiate outbound traffic. This feature is new with 7.x.

If nat-control is enabled, then it behaves like 6.x and its predecessors, and nat entries are required for anything going from a higher security level interface to a lower level interface.

New Member

Re: Access from low security interface to high security interfac

Hey there.

Thanks for the response. It's not configured (enabled). Explains it then.

Someone has configured a firewall with all the statics, with nat-control not enabled. WHY WHY WHY!!

NAT-CONTROL WHY WHY WHY!!!

Gold

Re: Access from low security interface to high security interfac

glad i could help...

(and thanks for the rating)...

339
Views
0
Helpful
7
Replies
This widget could not be displayed.