Re: [fw-wiz] static nat and tcp limits

Easiest way I've found to handle inside to DMZ traffic with the
following presumption:
Your security policy has no need for any of the "NAT inspections" the
firewall does when it performs NAT across interfaces

Easiest way to do this is to define a nonat group that includes your
inside & DMZ networks both directions.

And in your case it would appear to be a simple nonat ACL of:
Permit ip

Then define your appropriate "nat (1)" statements for the appropriate
interfaces (inside & DMZ).

This will make the firewall NOT perform NAT when either inside talks to
DMZ or DMZ talks to inside.

The added side benefit of this is it makes writing 'secure' (haha - I've
seen some BAD ones) ACLs that allow traffic from the DMZ into the
inside. Since there is no NAT happening you don't have to worry about
trying to figure out what inside address a DMZ system needs to be
configured to allowed to reach.

You're only dealing with RFC1918 address when creating/managing your
'interior' ACLs to me means easier firewall management.


-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
Vladislav Antolik
Sent: Friday, February 29, 2008 5:27 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] static nat and tcp limits


I'm using Cisco Pix 515E, 8.0(3).
I have two networks - inside and dmz. Inside has sec. level 100, dmz
50. To communicate hosts from inside to dmz I made
static (inside,dmz) netmask tcp 0 10.
I think that Pix during NAT vindicate NAT-ed IP address on destination
interface, so I had on these segments two devices with the same IP
Is it true? What is the best solution; disable nat-control and then
disable static record?
Many thanks,
firewall-wizards mailing list

This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.

firewall-wizards mailing list