https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190563#M875199 <P>I have a Cisco PIX 525 with 5 interfaces. 1 is the outside interface with a public address, and there is another public network in the DMZ. Now there are no translations between the DMZ and outside as both contain routable addresses. Now I have created the ACLS, for the outside to get to the DMZ and the traffic works fine. My question is do I need to allow the traffic back from the DMZ or will the traffic be allowed to return due to it being an SPI firewall?</P><P></P><P>Also do I need a NAT 0 statement for traffic passing from the DMZ to the outside?</P> Mon, 11 Mar 2019 15:03:04 GMT networker99 2019-03-11T15:03:04Z https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190563#M875199 <P>I have a Cisco PIX 525 with 5 interfaces. 1 is the outside interface with a public address, and there is another public network in the DMZ. Now there are no translations between the DMZ and outside as both contain routable addresses. Now I have created the ACLS, for the outside to get to the DMZ and the traffic works fine. My question is do I need to allow the traffic back from the DMZ or will the traffic be allowed to return due to it being an SPI firewall?</P><P></P><P>Also do I need a NAT 0 statement for traffic passing from the DMZ to the outside?</P> Mon, 11 Mar 2019 15:03:04 GMT https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190563#M875199 networker99 2019-03-11T15:03:04Z https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190564#M875201 <HTML><HEAD></HEAD><BODY><P>Lewis</P><P></P><P>Not sure what you mean by no NAT translations. Have you turned NAT off ?</P><P></P><P>Even using public IP addresses on the DMZ you still need to have a NAT rule for traffic to be allowde from a lower to higher security interface eg. something like </P><P></P><P>static (dmz,outside) 195.17.10.0 195.17.10.0 netmask 255.255.255.240</P><P></P><P>So have you turned NAT off or do you have a statement like the one above.</P><P></P><P>If you have turned NAT off nothing is needed on DMZ interface ie. no nat statement and no acl.</P><P></P><P>if you have a static statement like the one given above then you don't need to do anything else.</P><P></P><P>Jon</P></BODY></HTML> Wed, 11 Mar 2009 13:05:09 GMT https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190564#M875201 Jon Marshall 2009-03-11T13:05:09Z https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190565#M875202 <HTML><HEAD></HEAD><BODY><P>We have a NO NAT statement for the DMZ subnet going anywhere</P></BODY></HTML> Wed, 11 Mar 2009 13:24:05 GMT https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190565#M875202 networker99 2009-03-11T13:24:05Z https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190566#M875203 <HTML><HEAD></HEAD><BODY><P>Lewis</P><P></P><P>What is the actual config to do this on your firewall ?</P><P></P><P>Are you experiencing any connectvity problems ?</P><P></P><P>As for the acl you don't one on the DMZ as return traffic from the DMZ to outside will be allowed due to the stateful nature of the firewall and connections from the DMZ can be initiated to a lower security interface.</P><P></P><P>Only if you wanted to </P><P></P><P>a) restrict outbound traffic from DMZ </P><P></P><P>OR</P><P></P><P>b) allow traffic from DMZ to a higher security interface such as the inside </P><P></P><P>would you need an acl.</P><P></P><P>Jon</P></BODY></HTML> Wed, 11 Mar 2009 13:27:16 GMT https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190566#M875203 Jon Marshall 2009-03-11T13:27:16Z https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190567#M875204 <HTML><HEAD></HEAD><BODY><P>I've got it thanks.. I have one other question if you dont mind. We also have an ASA set up with 2 interfaces one with 192.168.1.x and the other with 10.1.10.x, now we have the ACLs configured and traffic can pass between subnets without any NAT statement.. how is this possible?</P></BODY></HTML> Wed, 11 Mar 2009 13:37:12 GMT https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190567#M875204 networker99 2009-03-11T13:37:12Z https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190568#M875205 <HTML><HEAD></HEAD><BODY><P>It may well be that you have nat-control turned off. If you have then you don't need NAT to allow traffic from lower to higher security interface but you still need acl.</P><P></P><P>Jon</P></BODY></HTML> Wed, 11 Mar 2009 13:43:03 GMT https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190568#M875205 Jon Marshall 2009-03-11T13:43:03Z https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190569#M875206 <HTML><HEAD></HEAD><BODY><P>there is nothing to say it is switched off. This is an ASA running v8.0</P></BODY></HTML> Wed, 11 Mar 2009 13:56:55 GMT https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190569#M875206 networker99 2009-03-11T13:56:55Z https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190570#M875207 <HTML><HEAD></HEAD><BODY><P>That's because nat-control is disabled by default on ASA with v8.x software - </P><P></P><P><A class="jive-link-custom" href="https://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1753422" target="_blank">https://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1753422</A></P><P></P><P>Jon</P></BODY></HTML> Wed, 11 Mar 2009 14:00:41 GMT https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190570#M875207 Jon Marshall 2009-03-11T14:00:41Z https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190571#M875208 <HTML><HEAD></HEAD><BODY><P>Many Thanks!</P></BODY></HTML> Wed, 11 Mar 2009 14:02:58 GMT https://community.cisco.com/t5/network-security/passing-traffic/m-p/1190571#M875208 networker99 2009-03-11T14:02:58Z