Re: is it true about ASA?

From: Muhammad Nasim (muhammad.nasim@gmail.com)
Date: Mon Jul 21 2008 - 11:03:15 ART

• Next message: Muhammad Nasim: "Re: Help - CCIE Candidate binding !!"
• Previous message: Scott Morris: "RE: CCIE Design"
• Maybe in reply to: Muhammad Nasim: "is it true about ASA?"
• Next in thread: verb2300@yahoo.com: "RE: Re: is it true about ASA?"
• Maybe reply: verb2300@yahoo.com: "RE: Re: is it true about ASA?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yeah,

but the problem is that Cisco is not asking to you : )

2008/7/21 David Tran <davidtran_mclean@yahoo.com>:

> "In the real world this might not be the case and it does get extremely
> complicated quickly."
>
>
>
> I totally agree. That's why most Managed Security Service Providers, MSSP,
> prefer
>
> Checkpoint firewalls over Cisco ASA appliances precisely for this reason.
> When you
>
> have a very large network and a complicated network, things can get
> extremely
>
> difficult for configuration changes and troubleshoot. You can cause an
> outtage
>
> with a simple change especially when it involves NAT.
>
>
>
> With Checkpoint, you do not have this issue because checkpoint does not
> have
>
> security level on the interface thus making things much easier to
> understand.
>
>
>
> I do not understand why Cisco does not get rid of the security level on the
> ASA.
>
> It does not have any practical benefits, if you ask me.
>
> --- On *Sun, 7/20/08, Jason W. Miller <jaymiller5@gmail.com>* wrote:
>
> From: Jason W. Miller <jaymiller5@gmail.com>
> Subject: Re: is it true about ASA?
> To: "David Tran" <davidtran_mclean@yahoo.com>
> Cc: "Muhammad Nasim" <muhammad.nasim@gmail.com>, "sushil menon" <
> sushilmenon2001@gmail.com>, "Cisco certification" <security@groupstudy.com>,
> "GS CCIE-Lab" <ccielab@groupstudy.com>
> Date: Sunday, July 20, 2008, 4:02 PM
>
>
> Yes good explanation Dave. I unicast Muhammad the same input of how this
> works and the documentation as well.
>
> What most do not understand is NAT is handled on the highest level
> interface not the destination interface/network. So doing a catch all of 0 0
> implies that all traffic entering the inside interface from the hosts on the
> insde needs to be translated going to ANY lower security level interface. In
> the document CD it explains this in detail knowing the bahavior and
> direction in which NAT is applied. And most labs only have a single network
> or two that are going to hit a lower security interface such as outside or
> dmz. In the real world this might not be the case and it does get extremely
> complicated quickly.
>
> Which is the point of getting your CCIE in security is it not? :-)
>
> Jay
>
> On Sun, Jul 20, 2008 at 3:37 PM, David Tran <davidtran_mclean@yahoo.com>
> wrote:
>
>> here is a better way to understand this with an example.
>>
>> You have an ASA with four interfaces: inside, outside, dmzA and dmzB with
>> security
>> level 100, 0, 90 and 80, respectively and that you have "no nat-control"
>> enable, which is
>> the default.
>>
>> Now let say if you do this:
>>
>> nat (inside) 1 0 0
>> nat (dmzA) 1 0 0
>> global (outside) 1 interface]
>>
>> Now let say you do NOT want to NAT anything between inside, dmzA and dmzB.
>> If that the case, then you have to do this:
>>
>> static (inside,dmzA) x.x.x.x x.x.x.x netmask y.y.y.y
>> static (inside,dmzB) x.x.x.x x.x.x.x netmask y.y.y.y
>> static (dmzA,dmzB) z.z.z.z z.z.z.z netmask v.v.v.v
>>
>> or use nat exemption.
>>
>> The key thing to look for is the number of interfaces and the security
>> level
>> on
>> the interfaces themselves
>>
>> As you can see, things can get complicated very quickly. This is the
>> result
>> of putting security level on the interface
>>
>> --- On Sun, 7/20/08, sushil menon <sushilmenon2001@gmail.com> wrote:
>> From: sushil menon <sushilmenon2001@gmail.com>
>> Subject: Re: is it true about ASA?
>> To: "Muhammad Nasim" <muhammad.nasim@gmail.com>
>> Cc: "Cisco certification" <security@groupstudy.com>, "GS CCIE-Lab"
>> <ccielab@groupstudy.com>
>> Date: Sunday, July 20, 2008, 1:49 PM
>>
>> hi this case all the traffic from the inside will be natted while going on
>> the outside. even though nat control is disabled. but traffic from dmz to
>> outside will not be natted since nat-control is disabled.
>>
>> regards
>>
>> sushil
>>
>> On Sun, Jul 20, 2008 at 10:00 PM, Muhammad Nasim
>> <muhammad.nasim@gmail.com>
>> wrote:
>>
>> > Dear All,
>> >
>> > Is it true that if we enable pat on ASA for e.g
>> >
>> > nat (inside) 1 0 0
>> > global (outside) 1 interface
>> >
>> > Then ASA will behave same as "nat-control" is enabled.
>> (Although
>> > nat-control is disabled).
>> >
>> >
>> >
>> >
>> > Any inputs and links will be helpful
>> >
>> > Thanks
>> >
>> >
>> > --
>> > Muhammad Nasim
>> > Network Engineer
>> > Saudi Arabia
>>
>>
>
>

-- 
Muhammad Nasim
Network Engineer
Saudi Arabia

• Next message: Muhammad Nasim: "Re: Help - CCIE Candidate binding !!"
• Previous message: Scott Morris: "RE: CCIE Design"
• Maybe in reply to: Muhammad Nasim: "is it true about ASA?"
• Next in thread: verb2300@yahoo.com: "RE: Re: is it true about ASA?"
• Maybe reply: verb2300@yahoo.com: "RE: Re: is it true about ASA?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART