Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Passing traffic

I have a Cisco PIX 525 with 5 interfaces. 1 is the outside interface with a public address, and there is another public network in the DMZ. Now there are no translations between the DMZ and outside as both contain routable addresses. Now I have created the ACLS, for the outside to get to the DMZ and the traffic works fine. My question is do I need to allow the traffic back from the DMZ or will the traffic be allowed to return due to it being an SPI firewall?

Also do I need a NAT 0 statement for traffic passing from the DMZ to the outside?

8 REPLIES
Hall of Fame Super Blue

Re: Passing traffic

Lewis

Not sure what you mean by no NAT translations. Have you turned NAT off ?

Even using public IP addresses on the DMZ you still need to have a NAT rule for traffic to be allowde from a lower to higher security interface eg. something like

static (dmz,outside) 195.17.10.0 195.17.10.0 netmask 255.255.255.240

So have you turned NAT off or do you have a statement like the one above.

If you have turned NAT off nothing is needed on DMZ interface ie. no nat statement and no acl.

if you have a static statement like the one given above then you don't need to do anything else.

Jon

New Member

Re: Passing traffic

We have a NO NAT statement for the DMZ subnet going anywhere

Hall of Fame Super Blue

Re: Passing traffic

Lewis

What is the actual config to do this on your firewall ?

Are you experiencing any connectvity problems ?

As for the acl you don't one on the DMZ as return traffic from the DMZ to outside will be allowed due to the stateful nature of the firewall and connections from the DMZ can be initiated to a lower security interface.

Only if you wanted to

a) restrict outbound traffic from DMZ

OR

b) allow traffic from DMZ to a higher security interface such as the inside

would you need an acl.

Jon

New Member

Re: Passing traffic

I've got it thanks.. I have one other question if you dont mind. We also have an ASA set up with 2 interfaces one with 192.168.1.x and the other with 10.1.10.x, now we have the ACLs configured and traffic can pass between subnets without any NAT statement.. how is this possible?

Hall of Fame Super Blue

Re: Passing traffic

It may well be that you have nat-control turned off. If you have then you don't need NAT to allow traffic from lower to higher security interface but you still need acl.

Jon

New Member

Re: Passing traffic

there is nothing to say it is switched off. This is an ASA running v8.0

Hall of Fame Super Blue

Re: Passing traffic

That's because nat-control is disabled by default on ASA with v8.x software -

https://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1753422

Jon

New Member

Re: Passing traffic

Many Thanks!

277
Views
0
Helpful
8
Replies