I was reading Cisco Packet Magazine the other day, and noticed a few mails from readers claiming that they have many Cisco routers in their network running continuously for more than 3 years. The continuous long uptime of a router shows stability and reliability of the specific hardware, but on the other hand it reveals also an insecure network.

A router running continuously for many years, means that it has not been upgraded at all. A router which has not been upgraded for more than 3 years, it probably runs IOS versions 12.0 or 12.1 which are full of security vulnerabilities. I would rather have a network with router uptimes of less than a month, but with all latest Cisco IOS security patches, instead of having a network with router uptimes of 3 years and full of security wholes. What do you think ?   

With the original PIX firewall models, all traffic traversing a Cisco Firewall between inside to outside (higher security level to lower security level) had to match a NAT rule, otherwise the traffic was blocked. For example, in order for an inside web client host to access an outside web server host, there should have been a NAT translation rule matching the inside traffic to be translated to an outside address. 

So what about “NO NAT-CONTROL” ? This feature impacts traffic not described in NAT statements. All the NAT features still work as described … the impact is to the address space not descibed by NAT … If “no nat-control” is configured on the firewall, then traffic which does not match a nat rule it is no longer blocked. All ACL’s, security level rules, statefullness, etc. now can traverse the PIX/ASA. For the traffic that does not match a NAT rule, the firewall acts as a router forwarding the traffic according to the ACL restrictions only.