Firewall Wizards mailing list archives
Re: static nat and tcp limits
From: "Fetch, Brandon" <bfetch () tpg com>
Date: Mon, 3 Mar 2008 10:33:58 -0500
So my explanation required another presumption: that you're running different IP addresses between your DMZ & inside networks. If not, then you're stuck doing the respective static for the inside to DMZ or vice versa. -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Vladislav Antolik Sent: Sunday, March 02, 2008 3:11 PM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] static nat and tcp limits Many thanks. Just one question. Is it true what I've written in my question? That there could be a problem with two same IP address - nated and real. Vladislav On Sat, Mar 1, 2008 at 11:54 PM, Fetch, Brandon <bfetch () tpg com> wrote:
Easiest way I've found to handle inside to DMZ traffic with the following presumption: Your security policy has no need for any of the "NAT inspections" the firewall does when it performs NAT across interfaces Easiest way to do this is to define a nonat group that includes your inside & DMZ networks both directions. And in your case it would appear to be a simple nonat ACL of: Permit ip 172.16.0.0 255.240.0.0 172.16.0.0 255.240.0.0 Then define your appropriate "nat (1)" statements for the appropriate interfaces (inside & DMZ). This will make the firewall NOT perform NAT when either inside talks
to
DMZ or DMZ talks to inside. The added side benefit of this is it makes writing 'secure' (haha -
I've
seen some BAD ones) ACLs that allow traffic from the DMZ into the inside. Since there is no NAT happening you don't have to worry
about
trying to figure out what inside address a DMZ system needs to be configured to allowed to reach. You're only dealing with RFC1918 address when creating/managing your 'interior' ACLs to me means easier firewall management. HTH, Brandon -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Vladislav Antolik Sent: Friday, February 29, 2008 5:27 AM To: firewall-wizards () listserv icsalabs com Subject: [fw-wiz] static nat and tcp limits Hello, I'm using Cisco Pix 515E, 8.0(3). I have two networks - inside and dmz. Inside has sec. level 100, dmz 50. To communicate hosts from inside to dmz I made static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 tcp 0
10.
I think that Pix during NAT vindicate NAT-ed IP address on
destination
interface, so I had on these segments two devices with the same IP address. Is it true? What is the best solution; disable nat-control and then disable static record? Many thanks, Vladislav _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards This message is intended only for the person(s) to which it is
addressed
and may contain privileged, confidential and/or insider information. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your
computer.
Any disclosure, copying, distribution, or the taking of any action
concerning
the contents of this message and any attachment(s) by anyone other than the named recipient(s) is strictly prohibited. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards This message is intended only for the person(s) to which it is addressed and may contain privileged, confidential and/or insider information. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Any disclosure, copying, distribution, or the taking of any action concerning the contents of this message and any attachment(s) by anyone other than the named recipient(s) is strictly prohibited. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: static nat and tcp limits Fetch, Brandon (Mar 01)
- Re: static nat and tcp limits Vladislav Antolik (Mar 02)
- Re: static nat and tcp limits Fetch, Brandon (Mar 10)
- Re: static nat and tcp limits Vladislav Antolik (Mar 13)
- Re: static nat and tcp limits Fetch, Brandon (Mar 10)
- <Possible follow-ups>
- Re: static nat and tcp limits Robby Cauwerts (Mar 01)
- Re: static nat and tcp limits Vladislav Antolik (Mar 02)