From: David Tran (davidtran_mclean@yahoo.com)
Date: Mon Jul 21 2008 - 08:32:42 ART
"In the real world this might not be the case and it does get extremely
complicated quickly."
I totally agree. That's why most Managed Security Service Providers, MSSP,
prefer
Checkpoint firewalls over Cisco ASA appliances precisely for this reason.
When you
have a very large network and a complicated network, things can get extremely
difficult for configuration changes and troubleshoot. You can cause an
outtage
with a simple change especially when it involves NAT.
With Checkpoint, you do not have this issue because checkpoint does not have
security level on the interface thus making things much easier to understand.
I do not understand why Cisco does not get rid of the security level on the
ASA.
It does not have any practical benefits, if you ask me.
--- On Sun, 7/20/08, Jason W. Miller <jaymiller5@gmail.com> wrote:
From: Jason W. Miller <jaymiller5@gmail.com>
Subject: Re: is it true about ASA?
To: "David Tran" <davidtran_mclean@yahoo.com>
Cc: "Muhammad Nasim" <muhammad.nasim@gmail.com>, "sushil menon"
<sushilmenon2001@gmail.com>, "Cisco certification" <security@groupstudy.com>,
"GS CCIE-Lab" <ccielab@groupstudy.com>
Date: Sunday, July 20, 2008, 4:02 PM
Yes good explanation Dave. I unicast Muhammad the same input of how this works
and the documentation as well.
What most do not understand is NAT is handled on the highest level interface
not the destination interface/network. So doing a catch all of 0 0 implies
that all traffic entering the inside interface from the hosts on the
insde needs to be translated going to ANY lower security level interface. In
the document CD it explains this in detail knowing the bahavior and direction
in which NAT is applied. And most labs only have a single network or two that
are going to hit a lower security interface such as outside or dmz. In the
real world this might not be the case and it does get extremely complicated
quickly.
Which is the point of getting your CCIE in security is it not? :-)
Jay
On Sun, Jul 20, 2008 at 3:37 PM, David Tran <davidtran_mclean@yahoo.com>
wrote:
here is a better way to understand this with an example.
You have an ASA with four interfaces: inside, outside, dmzA and dmzB with
security
level 100, 0, 90 and 80, respectively and that you have "no nat-control"
enable, which is
the default.
Now let say if you do this:
nat (inside) 1 0 0
nat (dmzA) 1 0 0
global (outside) 1 interface]
Now let say you do NOT want to NAT anything between inside, dmzA and dmzB.
If that the case, then you have to do this:
static (inside,dmzA) x.x.x.x x.x.x.x netmask y.y.y.y
static (inside,dmzB) x.x.x.x x.x.x.x netmask y.y.y.y
static (dmzA,dmzB) z.z.z.z z.z.z.z netmask v.v.v.v
or use nat exemption.
The key thing to look for is the number of interfaces and the security level
on
the interfaces themselves
As you can see, things can get complicated very quickly. This is the result
of putting security level on the interface
--- On Sun, 7/20/08, sushil menon <sushilmenon2001@gmail.com> wrote:
From: sushil menon <sushilmenon2001@gmail.com>
Subject: Re: is it true about ASA?
To: "Muhammad Nasim" <muhammad.nasim@gmail.com>
Cc: "Cisco certification" <security@groupstudy.com>, "GS CCIE-Lab"
<ccielab@groupstudy.com>
Date: Sunday, July 20, 2008, 1:49 PM
hi this case all the traffic from the inside will be natted while going on
the outside. even though nat control is disabled. but traffic from dmz to
outside will not be natted since nat-control is disabled.
regards
sushil
On Sun, Jul 20, 2008 at 10:00 PM, Muhammad Nasim
<muhammad.nasim@gmail.com>
wrote:
> Dear All,
>
> Is it true that if we enable pat on ASA for e.g
>
> nat (inside) 1 0 0
> global (outside) 1 interface
>
> Then ASA will behave same as "nat-control" is enabled.
(Although
> nat-control is disabled).
>
>
>
>
> Any inputs and links will be helpful
>
> Thanks
>
>
> --
> Muhammad Nasim
> Network Engineer
> Saudi Arabia
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART