In article , dexx wrote: :I am configuring a cisco firewall for a client. The Cisco firewall :service module (FWSM) is a blade which goes into a 6500 or 7600 :chassis. Its very similar to PIX.
"Similar" is not sufficient in this case. The FWSM is -not- a PIX, and it has different restrictions than the PIX does. A -closer- relationship is the FWSM, ASA 5500 series, and PIX running 7.0... but even then the FWSM has some important differences.
:I am configuring one to firewall :between 3 internal networks. No address translation is needed in my :scenario. Yet PIX seem to use NAT and PAT to excess. Is it possible to :configure rules so that NAT and PAT are not necessary? I just want to :filter on source, destination, and port.
If you are trying to do a "transparent layer 2 firewall", in which you have the same IP subnet on multiple interfaces, then with the ASA 5500 or PIX series you must use the 7.0 code stream. With the FWSM you have some flexibility about when various aspects are applied, and I don't know whether those interact with this matter.
If it is acceptable to have different IP subnets on different interfaces, then you can use static or nat 0 access-list to map addresses to themselves. The following setup is completely legal in the 6.x code stream:
outside ip 123.45.67.1/28 inside ip 123.45.67.129/25 dmz ip 123.45.67.65/26 route inside 123.45.67.17/28 route inside 123.45.67.33/27 static (inside,outside) 123.45.67.128 123.45.67.128 netmask 255.255.255.128 static (dmz,outside) 123.45.67.64 123.45.67.64 netmask 255.255.255.192 static (inside,outside) 123.45.67.16 123.45.67.16 netmask 255.255.255.240 static (inside,outside) 123.45.67.32 123.45.67.32 netmask 255.255.255.224
In this situation, a PIX would proxy-arp for its outside IP 123.45.67.1 and for everything static'd, 123.45.67.128/25, 123.45.67.64/26,
123.45.67.16/28, and 123.45.67.32/27 ... unless you had turned proxy-arp off.
If instead of using static, you use nat 0 access-list, then the PIX will NOT proxy ARP for any flow listed in the ACL.
Either way, it is better to ensure that your WAN router routes all of 123.45.67/24 via the outside IP 123.45.67.1