Firewall Wizards mailing list archives
Re: New to Cisco PIX/ ASA
From: Jason <jasonisnow () gmail com>
Date: Wed, 22 Aug 2007 08:35:40 -0400
Only minor thing I'll add for sake of clarity is the need for translation (NAT or it's many flavors) when traversing any two interfaces on a PIX/ASA. When typical traffic (non-VPN) from the internal interface, Eth0/0, is destined for the external interface, Eth0/1, network address translation has to occur. This would include the use of a nat/global command pairing: global (outside) 1 66.166.x.x 255.255.x.x nat (inside) 1 192.168.1.x 255.255.255.x When traversing any two interfaces you always need two things: permission (access-list) and translation (NAT or one of its cousins). On 8/6/07, ArkanoiD <ark () eltex net> wrote:
Being not a PIX expert, as i see no one answers, no, you do not need a reverse rule if the protocol is known and does not require strange callbacks. If it does, it is hard to say how your configuration does look like ;-) On Wed, Aug 01, 2007 at 06:41:53PM -0400, Keith A. Glass wrote:I've managed Gauntlets, Checkpoints, Netscreens, and SonicWalls inthepast. I'm a bit confused with the in and outs of the ASA firewalls. I'm setting up at HA pair, my Eth0/0 is my interior interface, trust level 100, Eth 0/1 and 0/2 are my IP and State heatbeats, and Eth 1/0 is my external interface, trust level 1. Am I correct in my understanding that if I want two-way traffic, traffic is not blocked to a lower trust level, so I need only write a rule to pass the traffic between the endpoints from the external interface to the internal interface, and the reply traffic is taken care of ?? Or do I have to write a reverse rule, from the internal interface to the external as well ??? email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-- -->j
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- New to Cisco PIX/ ASA Keith A. Glass (Aug 01)
- Re: New to Cisco PIX/ ASA ArkanoiD (Aug 21)
- Re: New to Cisco PIX/ ASA Jason (Aug 22)
- CSA Question Carric Dooley (Aug 21)
- IPv6 support in firewalls Dave Piscitello (Aug 21)
- Re: IPv6 support in firewalls ArkanoiD (Aug 22)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 22)
- Re: IPv6 support in firewalls Shahin Ansari (Aug 22)
- Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
- Re: IPv6 support in firewalls Mohit Sharma (Aug 23)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 23)
- Re: IPv6 support in firewalls Darren Reed (Aug 22)
- Message not available
- Re: IPv6 support in firewalls Darren Reed (Aug 23)
- Re: New to Cisco PIX/ ASA ArkanoiD (Aug 21)