Firewall Wizards mailing list archives
Re: static nat and tcp limits
From: "Vladislav Antolik" <vladislav.antolik () gmail com>
Date: Mon, 10 Mar 2008 16:03:58 +0100
Yes of course. I have two independent networks.
On the other side I can't imagine, that I can have two the same IP
addresses connected to one PIX.
Pix probably would not allow it.
So when I use different IP adresses any duplicity during translation
can occured?
did you think
access_list nonat_acl extended permit ip 172.16.0.0 255.255.0.0
172.16.0.0 255.255.0.0
nat (inside) 0 access-list nonat_acl
nat (dmz) 0 access-list nonat_acl ?
Because with nat (inside) 1 .... I would need to use global statement.
Thanks.
Vladislav
On Mon, Mar 3, 2008 at 4:33 PM, Fetch, Brandon <bfetch () tpg com> wrote:
So my explanation required another presumption: that you're running different IP addresses between your DMZ & inside networks. If not, then you're stuck doing the respective static for the inside to DMZ or vice versa. -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Vladislav Antolik Sent: Sunday, March 02, 2008 3:11 PM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] static nat and tcp limits Many thanks. Just one question. Is it true what I've written in my question? That there could be a problem with two same IP address - nated and real. Vladislav On Sat, Mar 1, 2008 at 11:54 PM, Fetch, Brandon <bfetch () tpg com> wrote: > Easiest way I've found to handle inside to DMZ traffic with the > following presumption: > Your security policy has no need for any of the "NAT inspections" the > firewall does when it performs NAT across interfaces > > Easiest way to do this is to define a nonat group that includes your > inside & DMZ networks both directions. > > And in your case it would appear to be a simple nonat ACL of: > Permit ip 172.16.0.0 255.240.0.0 172.16.0.0 255.240.0.0 > > Then define your appropriate "nat (1)" statements for the appropriate > interfaces (inside & DMZ). > > This will make the firewall NOT perform NAT when either inside talks to > DMZ or DMZ talks to inside. > > The added side benefit of this is it makes writing 'secure' (haha - I've > seen some BAD ones) ACLs that allow traffic from the DMZ into the > inside. Since there is no NAT happening you don't have to worry about > trying to figure out what inside address a DMZ system needs to be > configured to allowed to reach. > > You're only dealing with RFC1918 address when creating/managing your > 'interior' ACLs to me means easier firewall management. > > HTH, > Brandon > > > > -----Original Message----- > From: firewall-wizards-bounces () listserv icsalabs com > [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of > Vladislav Antolik > Sent: Friday, February 29, 2008 5:27 AM > To: firewall-wizards () listserv icsalabs com > Subject: [fw-wiz] static nat and tcp limits > > Hello, > > I'm using Cisco Pix 515E, 8.0(3). > I have two networks - inside and dmz. Inside has sec. level 100, dmz > 50. To communicate hosts from inside to dmz I made > static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 tcp 0 10. > I think that Pix during NAT vindicate NAT-ed IP address on destination > interface, so I had on these segments two devices with the same IP > address. > Is it true? What is the best solution; disable nat-control and then > disable static record? > Many thanks, > Vladislav > _______________________________________________ > firewall-wizards mailing list > firewall-wizards () listserv icsalabs com > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > > > This message is intended only for the person(s) to which it is addressed > and may contain privileged, confidential and/or insider information. > If you have received this communication in error, please notify us > immediately by replying to the message and deleting it from your computer. > Any disclosure, copying, distribution, or the taking of any action concerning > the contents of this message and any attachment(s) by anyone other > than the named recipient(s) is strictly prohibited. > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards () listserv icsalabs com > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards This message is intended only for the person(s) to which it is addressed and may contain privileged, confidential and/or insider information. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Any disclosure, copying, distribution, or the taking of any action concerning the contents of this message and any attachment(s) by anyone other than the named recipient(s) is strictly prohibited. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: static nat and tcp limits Fetch, Brandon (Mar 01)
- Re: static nat and tcp limits Vladislav Antolik (Mar 02)
- Re: static nat and tcp limits Fetch, Brandon (Mar 10)
- Re: static nat and tcp limits Vladislav Antolik (Mar 13)
- Re: static nat and tcp limits Fetch, Brandon (Mar 10)
- <Possible follow-ups>
- Re: static nat and tcp limits Robby Cauwerts (Mar 01)
- Re: static nat and tcp limits Vladislav Antolik (Mar 02)