Re: Help with "Address Transforms"

fwwd · ‎06-16-2009

I have just replaced a Raptor firewall with a Cisco ASA 5505. On the Raptor, I could specify that all inbound traffic on the outside interface be transformed into a 10.1.2.x address from a pool. What is the equivalent command on a Cisco? I had two two Raptors that sent SMTP to one SPAM filter, and the transformed address identified which raptor sent the message.

thomas.chen · ‎06-22-2009

Outbound access describes connections from a higher security level interface to a lower security level interface. This includes connections from inside to outside, inside to Demilitarized Zones (DMZs), and DMZs to outside. This can also include connections from one DMZ to another, as long as the connection source interface has a higher security level than the destination. Review the "security-level" configuration on the PIX interfaces in order to confirm this.

This example shows the security level and interface name configuration:

pix(config)#interface ethernet 0

pix(config-if)#security-level 0

pix(config-if)#nameif outside

pix(config-if)#exit PIX 7.0 introduces the nat-control command. You can use the nat-control command in configuration mode in order to specify if NAT is required for outside communications. With NAT control enabled, configuration of NAT rules is required in order to allow outbound traffic, as is the case with previous versions of PIX software. If NAT control is disabled (no nat-control), inside hosts can communicate with outside networks without the configuration of a NAT rule. However, if you have inside hosts that do not have public addresses, you still need to configure NAT for those hosts.