[c-nsp] ASA Nat 0 != Statefull inspection... ?

Voll, Scott Scott.Voll at wesd.org
Thu Nov 30 10:54:29 EST 2006

And use ACL's to open what needs to be open and close what needs to be
closed.  I have yet to setup a PIX / ASA and not have some form of ACL
on an interface.

But the long and short, I believe Laurent is correct with the Static


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Laurent Geyer
Sent: Thursday, November 30, 2006 6:42 AM
To: Peter Krupl
Cc: cisco-nsp
Subject: Re: [c-nsp] ASA Nat 0 != Statefull inspection... ?

On 11/30/06, Peter Krupl <peter.krupl at ventelo.dk> wrote:

> I can connect form the inside to the DMZ without nat, which is what I
> want.
> But I can also connect from the DMZ  to the inside, which I not what I
> wanted.

I could be entirely of base here but I always thought that the correct
to permit traffic between interfaces with differing security levels was
define static translations. Technically 'nat 0' should work fine but
personally always used static translations to facilitate that kind of

The only way that I could imagine DMZ hosts being able to establish
connections to inside hosts if there is an access-group defined for the
interface that permits traffic to the higher security network.

This is how I would configure the ASA/PIX:

static (<higher security int>,<lower security int>) <higher security
network> <higher security network> netmask <higher security netmask>

In your case this would like as follows:

static (inside,DMZ) netmask

When configured in that fashion any host on inside ( will
have access to DMZ hosts, but hosts on the DMZ network will not be able
initiate connections to hosts on the inside interface.

Is the ASA just an expensive piece of ...@#$!&@#$@! ?

It's not cheap, that's for sure but I rather like the PIX/ASAs. Maybe
simply grown accustomed to the PIX/ASA ways...

- Laurent
cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list