Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Simple NAT Question

Status
Not open for further replies.
Guest_imported

Guest_imported

New member
Jan 1, 1970
0
This is a basic question but recent happenings on a new installation have made me question my understanding of NAT.
My understanding is that all inside traffic is allowed out by default as long as there exists a translation rule, but no inbound traffic from the internet is permitted unless specifically granted in an access list applied on the outside interface.
Hence a translation like:
nat inside 1 10.1.80.0 255.255.255.0 0 0
would permit all people on the 10.1.80.0 network to access the internet, say for http, but if there were no e.g. access-list 101 permit tcp any host 10.1.80.0 255.255.255.0 eq would not get a reply.
Is this correct?
I have internal users who have access to the internet when my feeling is that they shouldn't.
There may however be some interaction between the access list I have on the outside interface and the one I have on the dmz interface.
Many thanks
Rob
 
Sort by date Sort by votes
HI.

For outbound connections, you need both NAT and GLOBAL, not only NAT.
The return traffic is permitted automaticaly by the pix using statefull inspection of the traffic and creating dynamic access-lists (you don't see them in the configuration).
So you should NOT create access-list for return traffic.

You can limit outbound traffic using access-list on the inside interface, or with AAA but the last isn't a simple solution for users nor for the administrator.

For new-bie, I suggest using PDM for managing the pix access and translation rules.

You can also use pixcript for creating basic sample configuration:

And, you'll find this link very usefull:

Bye

Yizhar Hurwitz
 
Upvote 0 Downvote
Thank you for the detailed response. I have been under a mis-apprehension about NAT. I was of course using the global command with the nat command but did not realise that the replies to outgoing traffic permitted by the above 2 commands were allowed back through the firewall without further permission. Hence I have a lot of redundant entries in the access-list/access-group allocated to the external interface as I thought I had to specifically allow them back in.
Unfortunately PDM is not much good if you are using IPSec. Since I added the IPSec commands PDM does not seem to be able to parse them and won't display the page any more.
I have used your Pixscript before with success though.
Many Thanks
Rob
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
641
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
588
intel233
intel233
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
113
steve777777
steve777777
NoCoolHandle
  • Locked
  • Question
TLS 1.0 vrs TLS 1.1 vrs 1.2 connection strategy question
Replies
1
Views
123
ChrisHirst
ChrisHirst
dgoradia
  • Locked
  • Question
Second public IP NAT to LAN
Replies
0
Views
82
dgoradia
dgoradia

Part and Inventory Search

Sponsor

Back
Top