I wanted to clear up a few basic concepts of the ASA:
It has been said (in my ASA book) that:
Before connections can form between firewall interfaces, two conditions must be met: 1) An address translation policy MUST be configured between a pair of interfaces. 2) A security policy must be configured to allow the connection to initiate toward the destination, usually in the form of an access list applied to a firewall interface.
It has also been said that:
2) Outbound connections from a higher security interface to a lower one are allowed, provided that they are permitted by any access lists that are applied to the firewall interfaces. 2) All inbound connections from a lower security interface to a higher one are blocked.
1) Why do I need an ACL permitting traffic from a high-security interface to a lower one if the traffic is permitted (as previously stated)? How is this any different from a low-security interface to a high-security interface? Wouldn't I need an ACL in either case?
2) In order to communicate between interfaces, do I always need a n address translation policy? If so, is the book speaking of NAT and PAT?
3) In summation, for any communication, I need a NAT/PAT statement and an ACL allowing the flow of traffic?
4) When do I not need an ACL or an address translation policy.
5) If traffic is permitted from a higher-security interface to a lower-security interface, does this include return traffic? (because this is a stateful firewall.)
I think I am confusing some of the basic concepts. Please shed some light. Thanks!
I will try and shed some light (well this is my understanding);
You don't need an access-list from a High to Low, this is allowed by default. You will need an access list from Low to High however. This is one of the Pix/ASA security mechanisms to try and secure them. Also, you don't necessarily need to configure NAT. If you are using Nat-Control then you obviously do need to configure NAT (And from a low to high you need to configure a Static Translation) but if you turn off Nat-Control then Natting isn't required.
High to Low - Traffic will flow (if NAT is configured correctly, if you are using Nat)
Low to High - Will need an access-list (and a Static if you are using Nat)
Nat - Only if you are using Nat-Control
Routing - If you are not using Nat-Control then the appliance will route the traffic.