Re: ASA - Inside outside NAT from Keith Barker on 2010-04-18 (Ccielab archives 04/2010)

From: Keith Barker <kbarker_at_ine.com>
Date: Sun, 18 Apr 2010 17:26:19 -0700

Prashant-

If this is just for educational purposes, and we are running 8.2 or older (not the newer 8.3 code), and you want to allow full connectivity between outside and inside, while leaving the command "nat-control" enabled, the 2 commands would be:

security-level x (on one of the interfaces, to make it match the other one)
same-security-traffic permit inter-interface (in global config)

Nat is no longer required with 2 interfaces at same level with same-security-traffic permit inter-interface, even though
the command "nat-control" is still in the configuration, and no access-lists would be required as all traffic is allowed
between these two interfaces with the configuration mentioned above.

Secure and best practice? NO
Getting it done in 2 commands, and winning a bet with a friend: Priceless.

Best wishes,

Keith H. Barker, CCIE #6783
Instructor
kbarker_at_ine.com
Internetwork Expert, Inc.
http://ine.com
Toll Free: 877-224-8987
Outside US: 775-826-4344

On Apr 18, 2010, at 2:04 PM, jockey wearer wrote:

> Hi all,
>
> I have configured cisco ASA firewall which is connected with inside and
> outside networks.Inside and outside networks has 3 networks internally . i
> am using rip protocol for reachability .
> On my firewall nat-control is enabled and I need to allow inside network to
> access outside network and outside to inside network .
> I want to put minimal configuration on firewall .
> Infact I have bet with my friend to success ICMP from both side of network
> (inside and outside) by using only two command statement on firewall
> (without disabling nat-control)
> is it possible and which way is good one .I am little bit confused.I think
> it is not possible in two commands ???
>
> Thanks
> Prashant
> CISSP
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Apr 18 2010 - 17:26:19 ART

This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 09:49:57 ART