GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Necessity of Static Commands in PIX Config [7:98221] posted 04/04/2005
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Dave,
  My understanding is that traffic going from 10.10.0.0 will only be
permitted if a translated address exists in the xlate table. This will
exists if a connection has been initiated from 10.20.0.0. The
connections in this table are subject to idle timers values and TCP
session control paramaters whereby if no traffic has been received for
the timeout period or the tcp session has ended the entry is reomoved
from the xlate table. Therefore a host from 10.10.0.0 accessing
10.20.0.0 that does not have specific entry in the xlate table will be
refused.

Regards,

Colm



-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
David Mitchell
Sent: 04 April 2005 17:35
To: cisco@xxxxxxxxxxxxxx
Subject: RE: Necessity of Static Commands in PIX Config [7:98221]


Thank you all for your excellent responses!

I still have one grey area though - the "directional" nature of nonat.

Take the following as an example:

Nat (inside) 0 access-list no-nat
Access-list no-nat permit ip any 10.20.0.0 255.255.0.0

I understand that this will cause any inside traffic destined to
10.20.x.x to NOT be translated - and just use it's native addresses.

However, what about traffic initiating from outside (10.20.x.x) trying
to get back in?  Is the NAT 0 statement bi-directional or not?  Is there
a difference between the above NAT 0 and a "static (inside, outside)
10.20.0.0 10.10.0.0"?

Thanks again,

- Dave


-----Original Message-----
From: max.reid@xxxxxxxxxxxxxxxxx [mailto:max.reid@xxxxxxxxxxxxxxxxx] 
Sent: Monday, April 04, 2005 12:27 PM
To: David Mitchell
Cc: cisco@xxxxxxxxxxxxxx
Subject: Re: Necessity of Static Commands in PIX Config [7:98221]


David,

The statement is not needed.  

I believe the best way to handle this is to use NAT 0 and access-lists.
Static mapping the same ip address is pretty kludgy.

Regards,
Max




Quoting David Mitchell :

> Hello all, I have a question about NAT on a FWSM.  I don't believe it 
> would be any different on a normal PIX appliance though.
> 
> The question is, do I need to impalement some sort of NAT (whether 
> static, or dynamic) to allow traffic between interfaces?
> 
> For instance, I have a firewall with several different interfaces.
They
> all have different network addresses, using internal (RFC 1918?) 
> addresses.  I have no need to translate their source or destination 
> IP's.  I simply want to restrict specific hosts and ports using ACL's.

> In this scenario, if I want to have traffic initiate from my less
secure
> interface to my more secure, so I NEED to have a static translation
set
> up?  Or can I just make sure the ACL allows it in?
> 
> Hopefully that question makes sense.
> 
> As a follow up question, I am having a hard time understanding the use

> of static translations with the SAME IP's.  For example:
> 
> Static (inside, outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
> 
> Basically there is no translation being done at all.  So is this 
> statement even needed?  I see it in many configs.
> 
> Thanks for the help!
> 
> - Dave
***********************************************************************************
This e-mail and its attachments, is confidential and is intended for the
addressee(s) only. If you are not the intended recipient, disclosure,
distribution or any action taken in reliance on it is prohibited and may be
unlawful. Please note that any information expressed in this message or its
attachments is not given or endorsed by An Post unless otherwise indicated
by an authorised representative independently of this message. An Post does
not accept responsibility for the contents of this message and although it
has been scanned for viruses An Post will not accept responsibility for any
damage caused as a result of a virus being passed on.
***********************************************************************************




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=98231&t=98221
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html