NAT exemption versus Static NAT. Where is the difference?

Discussion in 'Cisco' started by Anonymous Poster, Apr 26, 2004.

  1. Hello Folks,

    I have a PIX firewall with, say, three interfaces:

    - inside (security 100) (192.168.100.x)
    - outside (security 0) (192.168.0.x)
    - test (security 50) (192.168.50.x)

    None of these interfaces is actually connected to the internet. They
    all use private IP address ranges and this is not likely to change.
    This is strictly a firewall protecting three internal clients from
    each other, and those would be separate networks if they didn't have
    to talk to each other occasionally.

    The "inside" network is the most trusted (duh!), used by the
    engineers, and access should be granted to all other networks. This is
    done by default on the PIX. Outside may need to initiate connections
    to test and inside. Test also may need to initiate some connections
    to inside and outside.

    After reading the documentation, my first thought was to use NAT
    exemption (I don't need NAT at all), followed by some simple
    access-lists. Example:

    ! This should turn off NAT for good
    access-list all_ips ip permit any any
    nat 0 access-list all_ips

    ! one host in test needs to access inside
    ! one host in ouside needs to access inside

    access-list acl_test ip permit host 192.168.50.1 host 192.168.100.1 eq
    23
    access-group acl_test in interface test

    access-list acl_outside ip permit host 192.168.0.1 host 192.168.100.1
    eq 23
    access-group acl_outside in interface outside

    This seems to work pretty well, but a friend pulled his hair out,
    saying that PIX firewalls were *NEVER* meant to be used without NAT,
    and blablabla. Being him a CCNA, with impressive credentials, I
    decided to listen.

    His proposed configuration is:

    ! This should turn off NAT for good
    nat (inside) 0 0 0
    nat (outside) 0 0 0
    nat (test) 0 0 0

    ! Static translations

    nat (inside,outside) 192.168.100.0 192.168.100.0 255.255.255.0
    nat (inside,test) 192.168.100.0 192.168.100.0 255.255.255.0
    nat (outside,inside) 192.168.0.0 192.168.0.0 255.255.255.0
    nat (outside,test) 192.168.0.0 192.168.0.0 255.255.255.0
    nat (test,inside) 192.168.50.0 192.168.50.0 255.255.255.0
    nat (test,outside) 192.168.50.0 192.168.50.0 255.255.255.0

    ! one host in test needs to access inside
    ! one host in ouside needs to access inside

    access-list acl_test ip permit host 192.168.50.1 host 192.168.100.1 eq
    23
    access-group acl_test in interface test

    access-list acl_outside ip permit host 192.168.0.1 host 192.168.100.1
    eq 23
    access-group acl_outside in interface outside

    --- End of configurations ---

    His approach seems un-necessarily complicated to me. I checked and
    re-checked the documentation about NAT Exemption (my case) versus
    Identity NAT (his case). The difference is expressed as:

    --- excerpt from cisco documentation ---
    It is important to understand the difference between identity NAT and
    NAT exemption. With identity NAT, you can accept the inbound traffic
    only when the traffic is initiated from the inside and after the xlate
    is created. NAT exemption allows traffic whenever it matches the
    referenced ACL, regardless of whether or not there is already an
    xlate. Identity NAT allows you to set additional NAT parameters, such
    as norandomseq. NAT exemption allows only the outside option.
    --- end of excerpt ---

    From the explanation, it seems that with NAT exemption I would never
    be able to connect lower security networks to higher security ones. I
    tested and that does not seem to be the case (I verified normal
    connections, as long as I have the access-list granting access). I was
    also concerned about proper TCP/UDP connection tracking with my
    solution, but it does not seem to be affected.

    I'm stuck and confused. What is, after all, the difference between the
    two solutions? What are the shortcomings of NAT exemption? It seems to
    much more elegant in my particular case. Any ideas?

    Many Thanks
    Dr. 171

    PS: The PIX does not seem to keep track of ICMP echo/echo-reply. Is
    that true? Do I always need to allow returning echo-requests?
     
    Anonymous Poster, Apr 26, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kenny D

    Identity Nat v Exemption NAT

    Kenny D, May 8, 2004, in forum: Cisco
    Replies:
    1
    Views:
    4,082
    Walter Roberson
    May 8, 2004
  2. Cen
    Replies:
    2
    Views:
    947
  3. Replies:
    1
    Views:
    669
  4. NAT Exemption

    , Jan 28, 2008, in forum: Cisco
    Replies:
    0
    Views:
    586
  5. Peter Potamus the Purple Hippo

    Re: Mozilla versus IE versus Opera versus Safari

    Peter Potamus the Purple Hippo, May 8, 2008, in forum: Firefox
    Replies:
    0
    Views:
    856
    Peter Potamus the Purple Hippo
    May 8, 2008
Loading...

Share This Page