[c-nsp] PIX 7.2 behaviour for NAT exemption

Michael Smith mksmith at adhost.com
Sat Aug 16 11:43:51 EDT 2008 

Hello Amol:

By my reading you are correct.  The basic rule is "nat from higher to lower,
ACL from lower to higher."  You have to have NAT translations when going
from a higher security level to a lower security level, so from DMZ A to DMZ
B or C in your example.

If you don't want that traffic to be translated, you'll need a NAT statement
that exempts all traffic back and forth between the two security areas.  As
an example:

Nat (dmz-c) 0 0 access-list to-dmz-b
Nat (dmz-b) 0 0 access-list to-dmz-c

Access-list to-dmz-b permit ip <subnet z> <subnet y>
Access-list to-dmz-c permit ip <subnet y> <subnet z>

These would be in addition to any translations you *want* to occur, using
'nat (interface) 1'

Hope that helps,

Mike


> From: Amol Sapkal <amolsapkal at gmail.com>
> Date: Sat, 16 Aug 2008 18:31:59 +0400
> To: cisco-nsp <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] PIX 7.2 behaviour for NAT exemption
> 
> Hello all,
> 
> I am looking at a firewall configuration, which has multiple DMZs. Of these,
> here are the configurations for three DMZs
> 
> DMZ A: security level 50
> DMZ B: security level 20
> DMZ C: security level 0
> 
> Subnet X belongs to DMZ A
> subnet Y belongs to DMZ B
> Subnet Z belongs to DMZ C
> 
> Rules:
> Subnet X on DMZ A is 'NAT exempted' with another subnet Y on DMZ B (using
> ACL)
> Subnet X is allowed 'ip any' access (incoming access-list), on DMZ A
> access-list
> On DMZ C, there is a 'permit ip any any' (incoming access-list)
> 
> PIX software: v7.2(1)
> 
> Analysis:
> Because subnet X is 'nat exempted', it will translate as-is for any traffic
> originating towards and from (bi-directional behaviour) the subnet Y. BUT,
> this will also translate the subnet X, *as is*, on the DMZ C (if DMZ A
> subnet tries to direct any traffic towards DMZ C subnet).
> 
> Understanding:
> Given the above configuration (and my analysis), if there is any traffic
> originating from DMZ A (higher) to DMZ C (lower), it will be allowed.
> Also, if there any traffic originating from DMZ C to DMZ A (lower to
> higher), the traffic will be allowed because the ACLs allow those and
> because the NAT exemption rule will translate the subnet on all DMZs
> (assuming there was an attempt initially to send traffic towards DMZ C, from
> DMZ A)
> 
> It's been a year now that I touched a PIX, and now am unable to remember how
> this works. Would be nice if someone here could help me validate my
> understandng of the above.
> 
> Thanks in advance.
> 
> 
> -- 
> Warm regards,
> 
> Amol Sapkal
> 
> -------------------------------------------------------------------
> "When I'm not in my right mind, my left mind
> gets pretty crowded"
> -------------------------------------------------------------------
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list