01-12-2007 11:05 PM - edited 03-11-2019 02:18 AM
Hi,
Assume we are using an ASA with three zones configured,the security level of the each interface is as below,
INSIDE=100
TRUSTED=90
OUTSIDE=0
Also assume I have IP scheme 1.1.1.0/24 for inside,2.2.2.0/24 for trusted and 3.3.3.0/24 for outside.
I want to allow/permit the users from Trusted ,outside zones to inside without translation.
Please let me know the below configuration will work.
nat(trusted) 0 access-list nonattrust
nat(outside) 0 access-list nonatoutside
access-group outside in interface outside
access-group trust in interface trusted
access-list trust permit tcp host 2.2.2.5 host 1.1.1.5 eq 80
access-list nonattrust permit ip host 2.2.2.5 host 1.1.1.5
access-list outside permit tcp host 3.3.3.5 host 1.1.1.5 eq 80
access-list nonatoutside permit ip host 3.3.3.5 host 1.1.1.5
I am aware that for an inbound connection(lower to higher) static translation is required,but heared from one of my collegue that the above config will work.
Expecting an earliest reply.
Thanks and Regards,
Magesh
01-14-2007 12:06 PM
Hi,
On ASA there is an option to disable the need for mandatory traffic NAT, so no NAT 0 statement nedded. This will stil let you use NAT for specific traffic.
Give it a try.
Please rate if this helped.
Regards,
Daniel
01-16-2007 03:55 AM
Hi,
I belive you are talking about the NAT-control feature.Please let me know whether the above config will work if i haven't use NAT-control.
Thanks,
Magesh
01-16-2007 05:24 AM
Hello Magesh,
As you know "nat-control" command was not there in 6.x version. But the default
behaviour back then was infact of "nat-control", meaning without a nat rule configured, inside traffic could not go outside.
However, in 7.x, the default is "no nat-control" which means inside traffic can
traverse the firewall towards outside even if there is no nat translation configured.
So basically with "no nat-control" you open up the door for the traffic to go through PIX even if there is no nat rule configured for that particular traffic.
Similarly for traffic from outside to inside with "no nat-control", you do not need any static defined either. The processing of an incoming packet continues (going through ACL and seeing if we should block it or
allow it, etc).
I think you should try the config on some test setup and confirm its working...
Hope this helps..
Raj
01-18-2007 05:45 PM
Hi Raj,
Thanks much for your help.
Let me try this in the test setup and get back to you.
Thanks,
Magesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: