[c-nsp] ASA Nat 0 != Statefull inspection... ?
Peter Krupl
peter.krupl at ventelo.dk
Thu Nov 30 08:05:36 EST 2006
Hi Group,
I have a question regarding the behaviour of the ASA with 7.x software.
When I do something like:
Inside IP: 192.168.1.0/24
DMZ IP: 192.168.2.0/24
DMZ security 50
Inside security 100
------------------------------------------------
access-list inside_nat0 permit ip any 192.168.2.0 255.255.255.0
nat (inside) 0 access_list inside_nat0
------------------------------------------------
I can connect form the inside to the DMZ without nat, which is what I want.
But I can also connect from the DMZ to the inside, which I not what I wanted.
One solution could be PAT from the inside to the outside, which would be possible for me. But I don't want that, as this obscures the inside user to the DMZ hosts.
I could also do static, but this is still not statefull.
Can it really be true that the ASA is *NOT* statefull firewall ? (No. PAT does not count for that).
Is the ASA just an expensive piece of ...@#$!&@#$@! ?
Med venlig hilsen/Kind regards
Peter Åris Krüpl
Netværksspecialist
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 30-11-2006 05:07
More information about the cisco-nsp
mailing list