I am configuring a cisco firewall for a client. The Cisco firewall service module (FWSM) is a blade which goes into a 6500 or 7600 chassis. Its very similar to PIX. I am configuring one to firewall between 3 internal networks. No address translation is needed in my scenario. Yet PIX seem to use NAT and PAT to excess. Is it possible to configure rules so that NAT and PAT are not necessary? I just want to filter on source, destination, and port.
Yes. You can do that with a PIX. Just be aware that many of the fancier features (such as awareness of how protocols work) are tied to the NAT/PAT engine. But that is not a problem if all you need is a simple packet filter.
Disclaimer: This opinion is based on research done circa PIX OS 6.2. Newer releases may not have the same limitations.
In article , dexx wrote: :I am configuring a cisco firewall for a client. The Cisco firewall :service module (FWSM) is a blade which goes into a 6500 or 7600 :chassis. Its very similar to PIX.
"Similar" is not sufficient in this case. The FWSM is -not- a PIX, and it has different restrictions than the PIX does. A -closer- relationship is the FWSM, ASA 5500 series, and PIX running 7.0... but even then the FWSM has some important differences.
:I am configuring one to firewall :between 3 internal networks. No address translation is needed in my :scenario. Yet PIX seem to use NAT and PAT to excess. Is it possible to :configure rules so that NAT and PAT are not necessary? I just want to :filter on source, destination, and port.
If you are trying to do a "transparent layer 2 firewall", in which you have the same IP subnet on multiple interfaces, then with the ASA 5500 or PIX series you must use the 7.0 code stream. With the FWSM you have some flexibility about when various aspects are applied, and I don't know whether those interact with this matter.
If it is acceptable to have different IP subnets on different interfaces, then you can use static or nat 0 access-list to map addresses to themselves. The following setup is completely legal in the 6.x code stream:
outside ip 123.45.67.1/28 inside ip 123.45.67.129/25 dmz ip 123.45.67.65/26 route inside 123.45.67.17/28 route inside 123.45.67.33/27 static (inside,outside) 123.45.67.128 123.45.67.128 netmask 255.255.255.128 static (dmz,outside) 123.45.67.64 123.45.67.64 netmask 255.255.255.192 static (inside,outside) 123.45.67.16 123.45.67.16 netmask 255.255.255.240 static (inside,outside) 123.45.67.32 123.45.67.32 netmask 255.255.255.224
In this situation, a PIX would proxy-arp for its outside IP 123.45.67.1 and for everything static'd, 123.45.67.128/25, 123.45.67.64/26,
123.45.67.16/28, and 123.45.67.32/27 ... unless you had turned proxy-arp off.If instead of using static, you use nat 0 access-list, then the PIX will NOT proxy ARP for any flow listed in the ACL.
Either way, it is better to ensure that your WAN router routes all of 123.45.67/24 via the outside IP 123.45.67.1
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.