PIX 7.X Configuration

A major difference between the PIX/ASA 7.x software and previous versions is that by default the firewall does not require NAT and will allow outbound access with no additional configuration required. Of course, if your environment requires NAT (which most Internet-connected firewalls require), you must execute the appropriate NAT configuration commands on the firewall.

Advantages over using the one chosen:

1. Elimination of the numerous static (intf1,intf2) A.B.C.D A.B.C.D statements in the config made necessary by nat-control. These would need to be configured for ALL possible internal interface-to-interface combinations.
2. Troubleshooting such an implementation would be simpler, as using the security levels of the interfaces and access-lists would be all that would be required (vs needing the translation statements as well).
3. If full unrestricted access would be required, version 7.0 and above code supports the “same-security-traffic permit inter-interface” command which corresponds to a checkbox in ASDM entitled “Enable traffic between two or more interfaces with the same security level”. This could be enabled and at least two of the internal networks could be assigned the same security level thus eliminating the need for any ACLs.

Now that we have mentioned the advantages, to be fair we should list some of the caveats:

1. By using “no nat-control” the potential danger exists of having your private networks “leak” out to the Internet untranslated. Although your ISP (and others, hopefully!) won’t be able route back to these networks, it provides unnecessary visibility of the actual identity of your internal networks.
2. A recommended “fix” for the above problem would be not only to explicitly configure translation rules for ALL of the internal networks allowed access to the Internet but also to configure outbound access lists denying any private IP addresses exiting the outside interface.