[c-nsp] PIX 7.2 behaviour for NAT exemption

Amol Sapkal amolsapkal at gmail.com
Sat Aug 16 10:31:59 EDT 2008


Hello all,

I am looking at a firewall configuration, which has multiple DMZs. Of these,
here are the configurations for three DMZs

DMZ A: security level 50
DMZ B: security level 20
DMZ C: security level 0

Subnet X belongs to DMZ A
subnet Y belongs to DMZ B
Subnet Z belongs to DMZ C

Rules:
Subnet X on DMZ A is 'NAT exempted' with another subnet Y on DMZ B (using
ACL)
Subnet X is allowed 'ip any' access (incoming access-list), on DMZ A
access-list
On DMZ C, there is a 'permit ip any any' (incoming access-list)

PIX software: v7.2(1)

Analysis:
Because subnet X is 'nat exempted', it will translate as-is for any traffic
originating towards and from (bi-directional behaviour) the subnet Y. BUT,
this will also translate the subnet X, *as is*, on the DMZ C (if DMZ A
subnet tries to direct any traffic towards DMZ C subnet).

Understanding:
Given the above configuration (and my analysis), if there is any traffic
originating from DMZ A (higher) to DMZ C (lower), it will be allowed.
Also, if there any traffic originating from DMZ C to DMZ A (lower to
higher), the traffic will be allowed because the ACLs allow those and
because the NAT exemption rule will translate the subnet on all DMZs
(assuming there was an attempt initially to send traffic towards DMZ C, from
DMZ A)

It's been a year now that I touched a PIX, and now am unable to remember how
this works. Would be nice if someone here could help me validate my
understandng of the above.

Thanks in advance.


-- 
Warm regards,

Amol Sapkal

-------------------------------------------------------------------
"When I'm not in my right mind, my left mind
gets pretty crowded"
-------------------------------------------------------------------


More information about the cisco-nsp mailing list