Re: [fw-wiz] static nat and tcp limits



Many thanks. Just one question. Is it true what I've written in my
question? That
there could be a problem with two same IP address - nated and real.

Vladislav

On Sat, Mar 1, 2008 at 11:54 PM, Fetch, Brandon <bfetch@xxxxxxx> wrote:
Easiest way I've found to handle inside to DMZ traffic with the
following presumption:
Your security policy has no need for any of the "NAT inspections" the
firewall does when it performs NAT across interfaces

Easiest way to do this is to define a nonat group that includes your
inside & DMZ networks both directions.

And in your case it would appear to be a simple nonat ACL of:
Permit ip 172.16.0.0 255.240.0.0 172.16.0.0 255.240.0.0

Then define your appropriate "nat (1)" statements for the appropriate
interfaces (inside & DMZ).

This will make the firewall NOT perform NAT when either inside talks to
DMZ or DMZ talks to inside.

The added side benefit of this is it makes writing 'secure' (haha - I've
seen some BAD ones) ACLs that allow traffic from the DMZ into the
inside. Since there is no NAT happening you don't have to worry about
trying to figure out what inside address a DMZ system needs to be
configured to allowed to reach.

You're only dealing with RFC1918 address when creating/managing your
'interior' ACLs to me means easier firewall management.

HTH,
Brandon



-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
Vladislav Antolik
Sent: Friday, February 29, 2008 5:27 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] static nat and tcp limits

Hello,

I'm using Cisco Pix 515E, 8.0(3).
I have two networks - inside and dmz. Inside has sec. level 100, dmz
50. To communicate hosts from inside to dmz I made
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 tcp 0 10.
I think that Pix during NAT vindicate NAT-ed IP address on destination
interface, so I had on these segments two devices with the same IP
address.
Is it true? What is the best solution; disable nat-control and then
disable static record?
Many thanks,
Vladislav
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] DMZ to INSIDE Communication
    ... Chris, you've confused the idea of a real IP vs a NAT IP. ... DMZ and inside networks. ... communication between the DMZ VLAN and the ...
    (Firewall-Wizards)
  • Re: [fw-wiz] static nat and tcp limits
    ... Easiest way I've found to handle inside to DMZ traffic with the ... Your security policy has no need for any of the "NAT inspections" the ... firewall does when it performs NAT across interfaces ... 'interior' ACLs to me means easier firewall management. ...
    (Firewall-Wizards)
  • Re: Pix Outside NAT
    ... Does that mean if i have an outside int and a DMZ int both connecting ... dmz it will route to the natted ip's (ie a pool of addresses from the ... DMZ subnet) and then NAT and forward out teh DMZ int? ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] static nat and tcp limits
    ... I have two independent networks. ... Pix probably would not allow it. ... nat 0 access-list nonat_acl ... different IP addresses between your DMZ & inside networks. ...
    (Firewall-Wizards)
  • Re: How did they get behind my NAT?
    ... The double NAT setup makes sense, I did not understand that you meant ... A DMZ is a secured network that you use for Public hosts that they don't ... you put your web server in the DMZ network - that would be the LAN ... create filth and put it on the web for any kid to see: ...
    (alt.computer.security)