[c-nsp] ASA Nat 0 != Statefull inspection... ?

[Laurent Geyer]

On 11/30/06, Peter Krupl <peter.krupl at ventelo.dk> wrote:

>
> I can connect form the inside to the DMZ without nat, which is what I
> want.
> But I can also connect from the DMZ  to the inside, which I not what I
> wanted.


I could be entirely of base here but I always thought that the correct way
to permit traffic between interfaces with differing security levels was to
define static translations. Technically 'nat 0' should work fine but I've
personally always used static translations to facilitate that kind of
communication.

The only way that I could imagine DMZ hosts being able to establish
connections to inside hosts if there is an access-group defined for the DMZ
interface that permits traffic to the higher security network.

This is how I would configure the ASA/PIX:

static (<higher security int>,<lower security int>) <higher security
network> <higher security network> netmask <higher security netmask>

In your case this would like as follows:

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

When configured in that fashion any host on inside (192.168.1.0/24) will
have access to DMZ hosts, but hosts on the DMZ network will not be able to
initiate connections to hosts on the inside interface.


Is the ASA just an expensive piece of ...@#$!&@#$@! ?


It's not cheap, that's for sure but I rather like the PIX/ASAs. Maybe I've
simply grown accustomed to the PIX/ASA ways...

- Laurent