[c-nsp] ASA Nat 0 != Statefull inspection... ?

Peter Krupl peter.krupl at ventelo.dk
Fri Dec 1 05:41:12 EST 2006 

Hi,

Thank you for your input.

Do I have to think of the acccesslists having 3 outcomes, instead of the 2 outcomes I IOS ?

In ios i always have a implicit deny at the end of my access list, which means that anything not explicitly permitted is denied.

On the ASA I have 4 outcomes, which are:
1. Deny by explicit rule
2. Permit by explicit rule
3.1 Implicit permit from higher to lower security level.
3.2 Implicit deny from lower to higher security level.

Is this correct ?




Med venlig hilsen/Kind regards
Peter Åris Krüpl
Netværksspecialist
Ventelo Webpartner
Direkte:  35 25 47 54

 


-----Original Message-----
From: Voll, Scott [mailto:Scott.Voll at wesd.org] 
Sent: 30. november 2006 16:54
To: Laurent Geyer; Peter Krupl
Cc: cisco-nsp
Subject: RE: [c-nsp] ASA Nat 0 != Statefull inspection... ?

And use ACL's to open what needs to be open and close what needs to be
closed.  I have yet to setup a PIX / ASA and not have some form of ACL
on an interface.

But the long and short, I believe Laurent is correct with the Static
command.

Scott

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Laurent Geyer
Sent: Thursday, November 30, 2006 6:42 AM
To: Peter Krupl
Cc: cisco-nsp
Subject: Re: [c-nsp] ASA Nat 0 != Statefull inspection... ?

On 11/30/06, Peter Krupl <peter.krupl at ventelo.dk> wrote:

>
> I can connect form the inside to the DMZ without nat, which is what I
> want.
> But I can also connect from the DMZ  to the inside, which I not what I
> wanted.


I could be entirely of base here but I always thought that the correct
way
to permit traffic between interfaces with differing security levels was
to
define static translations. Technically 'nat 0' should work fine but
I've
personally always used static translations to facilitate that kind of
communication.

The only way that I could imagine DMZ hosts being able to establish
connections to inside hosts if there is an access-group defined for the
DMZ
interface that permits traffic to the higher security network.

This is how I would configure the ASA/PIX:

static (<higher security int>,<lower security int>) <higher security
network> <higher security network> netmask <higher security netmask>

In your case this would like as follows:

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

When configured in that fashion any host on inside (192.168.1.0/24) will
have access to DMZ hosts, but hosts on the DMZ network will not be able
to
initiate connections to hosts on the inside interface.


Is the ASA just an expensive piece of ...@#$!&@#$@! ?


It's not cheap, that's for sure but I rather like the PIX/ASAs. Maybe
I've
simply grown accustomed to the PIX/ASA ways...

- Laurent
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 01-12-2006 06:36
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 01-12-2006 06:36

More information about the cisco-nsp mailing list