topic Access from low security interface to high security interface in Network Security

Access from low security interface to high security interface

timkaye — Wed, 13 Mar 2019 00:52:28 GMT

Hi all.

I thought I had a pretty solid grasp of the Cisco's firewalls, so this puzzles me.

I always understood access from a lower security interface to a higher security interface required a form of translation or xlate using a static statement. When I use the term translation and xlate the static statement could actually NAT or NOT NAT traffic from the low interface to the high interface.

I'm looking at a firewall configuration where there is no static statements, no globals and no NAT statements and traffic appears to be initiated from the lower interface (security 0) to a higher interface (security 90).

How is this so? Its an ASA5510 running 7.0(6).

Is my understanding completely wrong?

Thanks in advance

Re: Access from low security interface to high security interfac

ccbootcamp — Wed, 19 Dec 2007 03:29:50 GMT

You'll need an ACL allowing the traffic.

-brad

www.ccbootcamp.com

(please rate the post if this helps!)

Re: Access from low security interface to high security interfac

timkaye — Wed, 19 Dec 2007 03:46:00 GMT

Hi Brad,

Thanks for the reply.

I'm aware of access-lists requring to permit/deny traffic. There is an ACl bound to both interfaces, and I can see it being matched only from low to high.

I don't recall every seeing a firewall with just acl's bound and no translations.

Re: Access from low security interface to high security interfac

ccbootcamp — Wed, 19 Dec 2007 03:48:31 GMT

What about between your DMZ and INSIDE interfaces? That's a pretty standard situation to not have any translations, don't ya think?

-brad

www.ccbootcamp.com

(please rate the post if this helps!)

Re: Access from low security interface to high security interfac

timkaye — Wed, 19 Dec 2007 04:01:12 GMT

Agreed.

But i've always achieved this using a static statement which simply exposes the inside network to the dmz with no address translation.

inside 10.1.10.x

DMZ 10.1.20.x

static (inside,dmz) 10.1.10.0 10.1.10.0 netmask 255.255.255.0

Cisco's command reference indicates traffic between low to high requires a static.

Re: Access from low security interface to high security interfac

srue — Wed, 19 Dec 2007 04:16:46 GMT

is nat-control enabled?

"show run nat-control"

if nat-control is not enabled (the default(unless an upgrade from 6.x has been done)), you do not need nat entries (static or dynamic) for internal hosts (hosts on higher security-level interfaces) to be reached from lower security level interfaces, or for them to initiate outbound traffic. This feature is new with 7.x.

If nat-control is enabled, then it behaves like 6.x and its predecessors, and nat entries are required for anything going from a higher security level interface to a lower level interface.

Re: Access from low security interface to high security interfac

timkaye — Wed, 19 Dec 2007 04:26:06 GMT

Hey there.

Thanks for the response. It's not configured (enabled). Explains it then.

Someone has configured a firewall with all the statics, with nat-control not enabled. WHY WHY WHY!!

NAT-CONTROL WHY WHY WHY!!!

Re: Access from low security interface to high security interfac

srue — Wed, 19 Dec 2007 13:26:44 GMT

glad i could help...

(and thanks for the rating)...