01-23-2004 05:32 AM - edited 03-09-2019 06:12 AM
Hi There
I have some doubts regarding access. I have tried to explain it clearly.
These statements are from cisco documentation(Using nat,global,conduit and .....).
"..By default, there are no access restrictions on outbound connections through the PIX. This means that if there is no ACL configured for the source interface, then, by default, the outbound connection will be allowed if there is a translation method configured."
Therefore for
1. inside(+) --->Outside(-) (Just configure nat,global command & A.C.L if any to inbound interface).
2. Inside(+) --->Dmz(-)
Is there a need of translation(As by statement)? Or by default it can access without translation.If translation,can Nat0 be used?
What will be the configuration?
Same About Dmz(+) --->Outside(-)?
"..In contrast to the nat and global commands which allow inside hosts out, the static command creates a two-way translation that allows inside hosts out and outside hosts in if the proper conduits are created or ACLs/groups added (PIX software version 5.0.1 or later)."
What is the meaning of "..inside hosts out and outside hosts in" for static command?
For Outside(-) ---> Dmz(+) (By static,access-list & applying it on outside interface).
Is the meaning of this statement is Dmz(+) ---> Outside(-)(reverse with same static ...?)
If this is the meaning then it is conflicting with above Dmz(+) --->Outside(-) ,which asks for translation?
For Dmz(-) ---> Inside(+)
Is this a only of configuration as told by gfullage?
For the mail server (or any host on the DMZ) to access the inside do the following:
static (inside,dmz) 128.100.0.0 128.100.0.0 netmask 255.255.0.0
access-list fromDMZ permit ip host 192.168.0.2 128.100.0.0 255.255.0.0
access-group fromDMZ in interface dmz
(where 128.100.*.* is for inside network and 192.168.*.* for dmz network)
Thanks in advance.
Brajesh.
01-23-2004 06:08 AM
First, to help you understand when/what/where/why you need translation/ACL's, you need to understand security levels on an interface.
By default, a "high" security number can access a lower security number without an ACL. Security of the inside interface is 100, DMZ is 50, and outside is 0. So from inside - > DMZ you need translation and no ACL (by default)... inside -> out you need translation and no ACL (by default)... DMZ -> outside you need translation and no ACL (by default)... DMZ -> inside you need translation and ACL... outside -> dmz you need translation and ACL... outside -> in you need translation and ACL.... I say default, because once you apply an ACL of any kind, there is an implicit deny all at the end of the ACL.
So inside configs:
nat(inside) 1 LocalIP LocalMask
global(outside) 1 GlobalIP GlobalMask
global(dmz) 1 GlobalIP GobalMask
DMZ Configs
nat(dmz) 1 LocalIP LocalMask
global(outside) 1 GlobalIP GlobalMask
global(inside) 1 ip used when going inside (This is reverse NAT)
outside configs
static(inside,outside) GlobalIP LocalIP
static(dmz,outside) GlobalIP LocalIP
So, when going from a higher security level to a lower, by default you only need address translation. When going from a lower security level to a higher security level, you need address translation and ACL's. I hope this helps.
01-28-2004 06:47 AM
Thanks for your reply.
Just check for these configuration?
For Dmz(-) ---> Inside(+)
Is this a only of configuration as told by gfullage?
For the mail server (or any host on the DMZ) to access the inside do the following:
static (inside,dmz) 128.100.0.0 128.100.0.0 netmask 255.255.0.0
access-list fromDMZ permit ip host 192.168.0.2 128.100.0.0 255.255.0.0
access-group fromDMZ in interface dmz
(any other way except this?)
(where 128.100.*.* is for inside network and 192.168.*.* for dmz network)
For Inside(+) --> Dmz(-)
nat (inside) 1 128.100.0.0 255.255.0.0
global (dmz) 1 10.0.10.12(or any 192.168.8.8 address)
Thanks.
Brajesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide