Allowing Outbound Traffic

At a minimum, the PIX needs to be configured to allow outbound traffic (traffic from a higher security to a lower security interface) by configuring address translation or explicitly disabling it. Assuming that no ACLs or apply/outbound statements prohibit it, this will be sufficient to permit outbound sessions. When an outbound connection is initiated, traffic returning to that connection is allowed to traverse back from the lower security-level interface to the higher security-level interface.

Configuring Dynamic Address Translation

Address translation (or its deactivation) is sufficient to pass outbound traffic. Once NAT and/or PAT are configured, the ASA allows traffic to traverse from a higher security-level interface to a lower security-level interface on the PIX firewall (also known as outbound connections).

Configuration of NAT/PAT is a two-step process:

Use the nat command to identify the local addresses that will be translated.
Use the global command to define the global addresses to translate to.

Address translation records are known as translation slots (or xlate) and are stored in the translation table. To view the contents of this table, use the show xlate command. The xlate timer monitors the translation table and removes records that have been idle longer than the defined timeout. By default, this is three hours; current settings can be verified with the show timeout command. The syntax of the nat command is as follows:

nat [()]   [ [outside] [dns] [norandomseq][timeout ] [ []]

if_name Applies...

< Previous Excerpt Next Excerpt >

The Best Damn Cisco Internetworking Book Period

TABLE OF CONTENTS

Allowing Outbound Traffic

Configuring Dynamic Address Translation

Contact Preferences

This is embarrasing...

Customize Your GlobalSpec Experience

Select Your Free Newsletters

Industry Newsletters

Select Your Free Product Alerts

This is embarrasing...