I have PIX 501 configured with static NAT for an internal host. Suppose I configure a rule that allows any incoming traffic from anywhere to the internal host. Will Cisco Adaptive Security Algorithm be still inspecting traffic to that host? Will the PIX prevent attacks from outside? Or setting "permit any" rule would disable firewall capabilities and would be similar to exposing the internal host directly to the Internet?
if you have configured a static then you have to apply an access-list on the outside interface for allowing which traffic is permitted. now this does not mean that the internal host is vulnerable. only the ports which you have allowed in the access-list are open for that host. the host is by default protected any TCP SYN attack i.e. the number of embroyonic connections. you can limit the number of maximum concurrent connections to that host. also only the valid sequence number and ports are allowed to that host.
if you want explicit inspection for that host then you can turn on ips on the 501.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...