Firewall Wizards mailing list archives
Re: PIX 520 - control traffic between DMZ and inside devices
From: Luca Berra <bluca () comedia it>
Date: Sun, 22 Dec 2002 14:04:34 +0100
Eye Am wrote:
Thanks Brian! We did use NAT, static xlate from DMZ to inside, and access-lists to limit port/machine access from DMZ to inside. Cisco finally helped me figure out why I was confused and why it wasn't working as desired. Interestingly they had me create static xlates very different than any of the "rules" state on any CCO documents I read. Normally a static statement xlates two different IP addies but they had me NAT the same IP address inside and DMZ. Never saw that done and haven't found anything on CCO discussing the practice.
this is correct, pix is based on having security level on interfaces, the idea seems to be based on its use as device dividing a small lan from the internet. The rules it always enforces are:
1) traffic is permitted from more secure to less secure interfaces unless denied esplicitly with outbound/apply commands. 2) traffic is blocked from less secure to more secure interface unless permitted in a counduit or acl. 3) ip addresses residing on a more secure network are not visible from a less secured network unless manually exposed (via static or dynamic nat) 4) ip address on a less secure network are directly visible from a more secure network.
you use the nat and global commands to configure dynamic nat and you use the static command to configure static natto allow a device on a secure network to communicate with another in a less secure one you must:
DYNAMIC NATa) define with 'global (external_interface) a_number ip_or_range' the address pool used for external (global) ip address(es) b) associate one or more internal ip with a global pool with the 'nat (internal interface) a_number ip_address mask' command if a_number is 0 for the nat command it disables nat on the interface (does not nat stuff coming from this interface)
STATIC NATyou use the command 'static (internal_if,external_if) nat_address real_address' if nat_address and real_address are the same you are not actually natting, but you are explicitly exposing the ip address to an outside interface (thus satisfying point 3). if you also need to start a communication from the outside you should add a conduit or acl to satisfy point 2.
hope this clears some confusion on this issue, regards, L. -- Luca Berra -- bluca () comedia it /"\ \ / ASCII RIBBON CAMPAIGN X AGAINST HTML MAIL / \ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX 520 - control traffic between DMZ and inside devices Eye Am (Dec 16)
- RE: PIX 520 - control traffic between DMZ and inside devices Brian A Kee (Dec 16)
- RE: PIX 520 - control traffic between DMZ and inside devices Brian A Kee (Dec 17)
- Re: PIX 520 - control traffic between DMZ and inside devices Eye Am (Dec 17)
- RE: PIX 520 - control traffic between DMZ and inside devices Brian A Kee (Dec 17)
- Re: PIX 520 - control traffic between DMZ and inside devices Luca Berra (Dec 22)
- RE: PIX 520 - control traffic between DMZ and inside devices Brian A Kee (Dec 17)
- RE: PIX 520 - control traffic between DMZ and inside devices Brian A Kee (Dec 16)
- <Possible follow-ups>
- Re: PIX 520 - control traffic between DMZ and inside devices Miha Vitorovic (Dec 17)
- RE: PIX 520 - control traffic between DMZ and inside devices Eye Am (Dec 30)