This is a discussion on Re: [fw-wiz] Extreme Problem with PIX Config - Firewalls ; Brian, > I've been fighting this problem for two weeks now. What follows is the > current config (edited to protect the innocent). If format is maintained, > the trouble lines will be bolded. These trouble lines are: access-list nonat ...
> I've been fighting this problem for two weeks now. What follows is the
> current config (edited to protect the innocent). If format is maintained,
> the trouble lines will be bolded. These trouble lines are: access-list nonat
> permit ip any any; nat (inside) 0 access-list nonat; access-group nonat in
> interface dmz.
[lots of deletia]
Here's a couple of ideas and recommendations that may help.
First, I don't recommend using the same acl for the "access-group" and
"nat (interface) 0 ..." purposes; keep those acl's separate and things
Second, I recommend applying an acl to every interface with
"access-group". That way no access is implied by security levels;
everything's explicit. Your mileage and tastes may vary.
Third, if you need non-natted access between some pair of
interfaces (say, inside and DMZ), then write a nonat acl for the
interface with the higher security level, permitting all ip from the
higher-security level subnet (source) to the lower-security level subnet
(destination). Note that it doesn't matter whether the packets and
connections are sourced from the higher or lower interface... for nat
purposes the higher security interface is written as source by
So try something like this: (untested) (pardon the long line)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
ip address outside ip.pub.nt.126 255.255.255.224
ip address inside 10.100.0.3 255.255.254.0
ip address DMZ 192.168.1.1 255.255.255.0
access-group acl_inbound in interface outside
access-group acl_dmz in interface DMZ
access-group acl_inside in interface inside
access-list acl_nonat_inside permit ip 10.100.0.0 255.255.254.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list acl_nonat_inside
Traffic that matches acl_nonat_inside (i.e. traffic between
inside and DMZ) will go un-natted; all other traffic (including Internet
traffic) will be natted.
firewall-wizards mailing list