[c-nsp] ASA Nat 0 != Statefull inspection... ?

Voll, Scott Scott.Voll at wesd.org
Thu Nov 30 10:54:29 EST 2006 

And use ACL's to open what needs to be open and close what needs to be
closed.  I have yet to setup a PIX / ASA and not have some form of ACL
on an interface.

But the long and short, I believe Laurent is correct with the Static
command.

Scott

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Laurent Geyer
Sent: Thursday, November 30, 2006 6:42 AM
To: Peter Krupl
Cc: cisco-nsp
Subject: Re: [c-nsp] ASA Nat 0 != Statefull inspection... ?

On 11/30/06, Peter Krupl <peter.krupl at ventelo.dk> wrote:

>
> I can connect form the inside to the DMZ without nat, which is what I
> want.
> But I can also connect from the DMZ  to the inside, which I not what I
> wanted.


I could be entirely of base here but I always thought that the correct
way
to permit traffic between interfaces with differing security levels was
to
define static translations. Technically 'nat 0' should work fine but
I've
personally always used static translations to facilitate that kind of
communication.

The only way that I could imagine DMZ hosts being able to establish
connections to inside hosts if there is an access-group defined for the
DMZ
interface that permits traffic to the higher security network.

This is how I would configure the ASA/PIX:

static (<higher security int>,<lower security int>) <higher security
network> <higher security network> netmask <higher security netmask>

In your case this would like as follows:

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

When configured in that fashion any host on inside (192.168.1.0/24) will
have access to DMZ hosts, but hosts on the DMZ network will not be able
to
initiate connections to hosts on the inside interface.


Is the ASA just an expensive piece of ...@#$!&@#$@! ?


It's not cheap, that's for sure but I rather like the PIX/ASAs. Maybe
I've
simply grown accustomed to the PIX/ASA ways...

- Laurent
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list