I'm going to use an example from a book that I'm having trouble understanding because if someone can explain this example to me, I think I'll have a grasp on what I need to know.
This is a PIX with three interfaces.
192.168.1.0/24 is attached to the outside interface.
192.168.5.0/24 is attached to the DMZ interface.
192.168.2-4.0/24 are all behind the inside interface.
The snippet of the configuration provided is this:
pixfirewall(config)# global (outside) 1 200.200.200.10-200.200.200.253 netmask 255.255.255.0
pixfirewall(config)# nat (inside) 1 0 0
pixfirewall(config)# nat (dmz) 1 0 0
pixfirewall(config)# static (dmz, outside) 200.200.200.1 192.168.5.5
pixfirewall(config)# static (dmz, outside) 200.200.200.2 192.168.5.6
pixfirewall(config)# static (inside, dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
pixfirewall(config)# access-list NO_NAT permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
pixfirewall(config)# access-list NO_NAT permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
pixfirewall(config)# access-list NO_NAT permit ip 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255.0
pixfirewall(config)# nat (inside) 0 access-list NO_NAT
Now, I understand all of this config and most other configs, but for some reason I've just never gotten how no nat works exactly. I'd like to understand it well.
The book says "If a device from the inside interface tries to access a device on the dmz interface, it will not have its address translated -- this is based on the very last static command in the configuration." Fine and dandy. So, the static entry in question keeps things going from the inside -> dmz from being translated. What does the NO_NAT ACL do?
Originally, I thought it was some kind of similar thing, but in reverse. (i.e., telling things going out from the DMZ to not try and NAT to the addresses in question (the 192.168.2-4.0/24 networks), but that makes no sense because it's applied to the inside interface. Is that ACL applied with the "nat (inside)" statement just a redundancy of the static statement?
Also, what are the security implications of disabling NAT? Do the security level implications still apply (i.e., things from on the security100 inside can still reach things on the security50 DMZ interface but not vice-versa (assuming that there is no other ACL involvement), or does disabling NAT remove that difference in security level?
Someone please help me. I feel like I'm frustrated enough and asking such a hugely broad question that I'm going to go ahead and assign a high point value to hopefully make it worth someone's while.
Thanks very much.
So for example
lets use this
Exchange Server on LAN with an address of 192.168.5.245 connecting to a DMZ mail server with an address of 192.168.1.245
DMZ interface is 192.168.1.1
When the exchange server connects to the DMZ host the DMZ host will see the packet as coming from 5.245 due to the static translation.
But if a workstation say on anothe subnet was to connect to the DMZ host the mail server would see its ip as the DMZ interface ip address.