Question 1)
>>
>>global (dmz) 1 10.10.10.1 netmask 255.255.255.255
>>nat (inside) 1 192.168.0.0 255.255.255.0 0 0
>>
>>Am I correct to understand that only the specified
>>traffic rom the Inside interface, 192.168.0.X will
>> be NATed to the address 10.10.10.1 when it enters the DMZ?
Yes and no. You specified that traffic will be translated, but you didn't
specify what traffic would be translated. (Add outbound/apply commands to
specificly deny or permit traffic.)
global (dmz) 1 10.10.10.1 netmask 255.255.255.255
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
outbound 1 deny 0 0 0
outbound 1 except 192.168.0.0 255.255.255.0 80 TCP
apply (inside) 1 outgoing_src
That would deny all traffic expect traffic from 192.168.0.1-254 on port 80
from going out.
Question 2)
>>This is also to say that traffic from any other subnet, 192.168.1.X
>> or even from the Outside interface won't be NATed.
Yes, as long as the Outside interface is a DIFFERENT interface with a
different security level, and your aren't refering to the dmz interface as
the outside interface....
>>While I'm at it...Which is more recommended to use, Conduits or ACLs with
PIX version 5.0(3)?
Not to sure, but my understanding is to use them both. Conduits specificaly
allow types of traffic from a lower security interface to higher security
interface... While ACLS filter traffic going from a higher security interfae
to a lower security interface. By default any traffic from a higher
security interface is passed to a lower security interface. You might not
allways want that.
>>And, can you use conduits to allow DMZ traffic to enter the
>>Inside interface (such as a web server connecting to an internal
database)?
Yes, use static/conduit commands to allow the lower security (dmz) interface
access to the higher security(inside) interface. And outbound/apply commands
for the opposite.
Hope that helps!!!
