Re: is it true about ASA?

From: Jason W. Miller (jaymiller5@gmail.com)
Date: Sun Jul 20 2008 - 17:02:52 ART

• Next message: Lars Christensen: "RE: Peer in wrong AS at BB2 router | Will proctor tell us the"
• Previous message: Peter Grewal: "RE: Problem with ASA site to site VPN and Exchange"
• Maybe in reply to: Muhammad Nasim: "is it true about ASA?"
• Next in thread: verb2300@yahoo.com: "RE: is it true about ASA?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yes good explanation Dave. I unicast Muhammad the same input of how this
works and the documentation as well.

What most do not understand is NAT is handled on the highest level interface
not the destination interface/network. So doing a catch all of 0 0 implies
that all traffic entering the inside interface from the hosts on the
insde needs to be translated going to ANY lower security level interface. In
the document CD it explains this in detail knowing the bahavior and
direction in which NAT is applied. And most labs only have a single network
or two that are going to hit a lower security interface such as outside or
dmz. In the real world this might not be the case and it does get extremely
complicated quickly.

Which is the point of getting your CCIE in security is it not? :-)

Jay

On Sun, Jul 20, 2008 at 3:37 PM, David Tran <davidtran_mclean@yahoo.com>
wrote:

> here is a better way to understand this with an example.
>
> You have an ASA with four interfaces: inside, outside, dmzA and dmzB with
> security
> level 100, 0, 90 and 80, respectively and that you have "no nat-control"
> enable, which is
> the default.
>
> Now let say if you do this:
>
> nat (inside) 1 0 0
> nat (dmzA) 1 0 0
> global (outside) 1 interface]
>
> Now let say you do NOT want to NAT anything between inside, dmzA and dmzB.
> If that the case, then you have to do this:
>
> static (inside,dmzA) x.x.x.x x.x.x.x netmask y.y.y.y
> static (inside,dmzB) x.x.x.x x.x.x.x netmask y.y.y.y
> static (dmzA,dmzB) z.z.z.z z.z.z.z netmask v.v.v.v
>
> or use nat exemption.
>
> The key thing to look for is the number of interfaces and the security
> level
> on
> the interfaces themselves
>
> As you can see, things can get complicated very quickly. This is the
> result
> of putting security level on the interface
>
> --- On Sun, 7/20/08, sushil menon <sushilmenon2001@gmail.com> wrote:
> From: sushil menon <sushilmenon2001@gmail.com>
> Subject: Re: is it true about ASA?
> To: "Muhammad Nasim" <muhammad.nasim@gmail.com>
> Cc: "Cisco certification" <security@groupstudy.com>, "GS CCIE-Lab"
> <ccielab@groupstudy.com>
> Date: Sunday, July 20, 2008, 1:49 PM
>
> hi this case all the traffic from the inside will be natted while going on
> the outside. even though nat control is disabled. but traffic from dmz to
> outside will not be natted since nat-control is disabled.
>
> regards
>
> sushil
>
> On Sun, Jul 20, 2008 at 10:00 PM, Muhammad Nasim
> <muhammad.nasim@gmail.com>
> wrote:
>
> > Dear All,
> >
> > Is it true that if we enable pat on ASA for e.g
> >
> > nat (inside) 1 0 0
> > global (outside) 1 interface
> >
> > Then ASA will behave same as "nat-control" is enabled.
> (Although
> > nat-control is disabled).
> >
> >
> >
> >
> > Any inputs and links will be helpful
> >
> > Thanks
> >
> >
> > --
> > Muhammad Nasim
> > Network Engineer
> > Saudi Arabia

• Next message: Lars Christensen: "RE: Peer in wrong AS at BB2 router | Will proctor tell us the"
• Previous message: Peter Grewal: "RE: Problem with ASA site to site VPN and Exchange"
• Maybe in reply to: Muhammad Nasim: "is it true about ASA?"
• Next in thread: verb2300@yahoo.com: "RE: is it true about ASA?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART