Basic NO NAT setups and concepts on a PIX.
Posted on 2006-06-20
I'm going to use an example from a book that I'm having trouble understanding because if someone can explain this example to me, I think I'll have a grasp on what I need to know.
This is a PIX with three interfaces.
192.168.1.0/24 is attached to the outside interface.
192.168.5.0/24 is attached to the DMZ interface.
192.168.2-4.0/24 are all behind the inside interface.
The snippet of the configuration provided is this:
pixfirewall(config)# global (outside) 1 188.8.131.52-184.108.40.206 netmask 255.255.255.0
pixfirewall(config)# nat (inside) 1 0 0
pixfirewall(config)# nat (dmz) 1 0 0
pixfirewall(config)# static (dmz, outside) 220.127.116.11 192.168.5.5
pixfirewall(config)# static (dmz, outside) 18.104.22.168 192.168.5.6
pixfirewall(config)# static (inside, dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
pixfirewall(config)# access-list NO_NAT permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
pixfirewall(config)# access-list NO_NAT permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
pixfirewall(config)# access-list NO_NAT permit ip 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255.0
pixfirewall(config)# nat (inside) 0 access-list NO_NAT
Now, I understand all of this config and most other configs, but for some reason I've just never gotten how no nat works exactly. I'd like to understand it well.
The book says "If a device from the inside interface tries to access a device on the dmz interface, it will not have its address translated -- this is based on the very last static command in the configuration." Fine and dandy. So, the static entry in question keeps things going from the inside -> dmz from being translated. What does the NO_NAT ACL do?
Originally, I thought it was some kind of similar thing, but in reverse. (i.e., telling things going out from the DMZ to not try and NAT to the addresses in question (the 192.168.2-4.0/24 networks), but that makes no sense because it's applied to the inside interface. Is that ACL applied with the "nat (inside)" statement just a redundancy of the static statement?
Also, what are the security implications of disabling NAT? Do the security level implications still apply (i.e., things from on the security100 inside can still reach things on the security50 DMZ interface but not vice-versa (assuming that there is no other ACL involvement), or does disabling NAT remove that difference in security level?
Someone please help me. I feel like I'm frustrated enough and asking such a hugely broad question that I'm going to go ahead and assign a high point value to hopefully make it worth someone's while.
Thanks very much.