From: verb2300@yahoo.com
Date: Tue Jul 22 2008 - 04:00:55 ART
In an extremely large environement the last thing you want to do is have to edit acls across an enterprise everytime a new network segment is added (which is what checkpoint would have you doing). That is precisely the reason for security levels and a "zone" based architecture. It allows you to dynamically implement new network segments with minimal changes to acls and nat rules for exactly the reason stated.... Most network outages are caused by human error. As for centralized configuration etc... That is what cisco introduced CSM for.
Its like the Windows vs linux argument. :-)
David Tran wrote:
> "In the real world this might not be the case and it does get extremely
> complicated quickly."
>
> I totally agree. That's why most Managed Security Service Providers, MSSP,
> prefer
> Checkpoint firewalls over Cisco ASA appliances precisely for this reason.
> When you
> have a very large network and a complicated network, things can get extremely
> difficult for configuration changes and troubleshoot. You can cause an
> outtage
> with a simple change especially when it involves NAT.
>
> With Checkpoint, you do not have this issue because checkpoint does not have
> security level on the interface thus making things much easier to understand.
>
> I do not understand why Cisco does not get rid of the security level on the
> ASA.
> It does not have any practical benefits, if you ask me.
> --- On Sun, 7/20/08, Jason W. Miller <jaymiller5@gmail.com> wrote:
> From: Jason W. Miller <jaymiller5@gmail.com>
> Subject: Re: is it true about ASA?
> To: "David Tran" <davidtran_mclean@yahoo.com>
> Cc: "Muhammad Nasim" <muhammad.nasim@gmail.com>, "sushil menon"
> <sushilmenon2001@gmail.com>, "Cisco certification" <security@groupstudy.com>,
> "GS CCIE-Lab" <ccielab@groupstudy.com>
> Date: Sunday, July 20, 2008, 4:02 PM
> Yes good explanation Dave. I unicast Muhammad the same input of how this works
> and the documentation as well.
>
> What most do not understand is NAT is handled on the highest level interface
> not the destination interface/network. So doing a catch all of 0 0 implies
> that all traffic entering the inside interface from the hosts on the
> insde needs to be translated going to ANY lower security level interface. In
> the document CD it explains this in detail knowing the bahavior and direction
> in which NAT is applied. And most labs only have a single network or two that
> are going to hit a lower security interface such as outside or dmz. In the
> real world this might not be the case and it does get extremely complicated
> quickly.
>
> Which is the point of getting your CCIE in security is it not? :-)
>
> Jay
> On Sun, Jul 20, 2008 at 3:37 PM, David Tran <davidtran_mclean@yahoo.com>
> wrote:
> here is a better way to understand this with an example.
> You have an ASA with four interfaces: inside, outside, dmzA and dmzB with
> security
> level 100, 0, 90 and 80, respectively and that you have "no nat-control"
> enable, which is
> the default.
> Now let say if you do this:
> nat (inside) 1 0 0
> nat (dmzA) 1 0 0
> global (outside) 1 interface]
> Now let say you do NOT want to NAT anything between inside, dmzA and dmzB.
> If that the case, then you have to do this:
> static (inside,dmzA) x.x.x.x x.x.x.x netmask y.y.y.y
> static (inside,dmzB) x.x.x.x x.x.x.x netmask y.y.y.y
> static (dmzA,dmzB) z.z.z.z z.z.z.z netmask v.v.v.v
> or use nat exemption.
> The key thing to look for is the number of interfaces and the security level
> on
> the interfaces themselves
> As you can see, things can get complicated very quickly. This is the result
> of putting security level on the interface
> --- On Sun, 7/20/08, sushil menon <sushilmenon2001@gmail.com> wrote:
> From: sushil menon <sushilmenon2001@gmail.com>
> Subject: Re: is it true about ASA?
> To: "Muhammad Nasim" <muhammad.nasim@gmail.com>
> Cc: "Cisco certification" <security@groupstudy.com>, "GS CCIE-Lab"
> <ccielab@groupstudy.com>
> Date: Sunday, July 20, 2008, 1:49 PM
> hi this case all the traffic from the inside will be natted while going on
> the outside. even though nat control is disabled. but traffic from dmz to
> outside will not be natted since nat-control is disabled.
> regards
> sushil
> On Sun, Jul 20, 2008 at 10:00 PM, Muhammad Nasim
> <muhammad.nasim@gmail.com>
> wrote:
>> Dear All,
>>
>> Is it true that if we enable pat on ASA for e.g
>>
>> nat (inside) 1 0 0
>> global (outside) 1 interface
>>
>> Then ASA will behave same as "nat-control" is enabled.
> (Although
>> nat-control is disabled).
>>
>>
>>
>>
>> Any inputs and links will be helpful
>>
>> Thanks
>>
>>
>> --
>> Muhammad Nasim
>> Network Engineer
>> Saudi Arabia
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART