Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Firewalling - Basic Doubt- plz help

Dear Friends,

I have a doubt regarding the firewalling concepts. lets say, I have a brand new firewall, with two interfaces (inside and outside). I configured IP addresses on both the interfaces, access lists for inside access and outside access, and applied those ACL's on the appropriate interfaces in the " in" direction. SO far I have not configured any NAT statements.

for your information,

Outside IP addresse :- 100.100.100.1/30 (this interface is connected to a router)

Inside IP address :- 10.64.3.1

I heard that PIX firewall will not allow traffic to pass from outside interface to inside interface unless explicitly permitted. in this scenario I tried to ping from the router which is connected to to the outside of the PIX firewall to a host connected in the inside (10.64.3.10). It was not pinging first, and I permitted ICMP any any on the inside and outside directions, it started working. without any nat, NAT0, static statements, how it is possible?

Please help on understainding this.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Firewalling - Basic Doubt- plz help

By default NAT-CONTROL is disabled, which means that if there is L3 connectivity from outside to inside then you are not forced to use nat. In your case the router most likely knew how to get to your inside network addresses via a static route. This is fine in your test lab but you would not be able to do this over the internet to a pvt address range.

If you were not able to advertise your routes on the outside then you would use a static nat and advertise the nat address. Remember that you will need to open ACL access for the NAT address on the outside ACL to allow incomming access as the ACL is evaluate before NAT takes place.

If you enable NAT-CONTORL then you will have to NAT everything, in and out. Generally the only time you will not use NAT-CONTROL is if you have public IP's inside that are routable by your outside network.

2 REPLIES
New Member

Re: Firewalling - Basic Doubt- plz help

By default NAT-CONTROL is disabled, which means that if there is L3 connectivity from outside to inside then you are not forced to use nat. In your case the router most likely knew how to get to your inside network addresses via a static route. This is fine in your test lab but you would not be able to do this over the internet to a pvt address range.

If you were not able to advertise your routes on the outside then you would use a static nat and advertise the nat address. Remember that you will need to open ACL access for the NAT address on the outside ACL to allow incomming access as the ACL is evaluate before NAT takes place.

If you enable NAT-CONTORL then you will have to NAT everything, in and out. Generally the only time you will not use NAT-CONTROL is if you have public IP's inside that are routable by your outside network.

New Member

Re: Firewalling - Basic Doubt- plz help

Thanks for the information. I tried by enabling the NAT-CONTROL and found that if translation is not there, its blocking by an implict deny. Thanks once again.

163
Views
0
Helpful
2
Replies