Clarification

Answered Question
Aug 21st, 2007

Hi all

I saw many people write this command in their configuration and I have conflict with it. The command is

global (inside)

I know that we can write

global (outside)

global (DMZ)

to translate the inside IPs but why global (inside). Please clarify this.

Thanks

amady

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 3 months ago

Hi

Without a corresponding NAT statement as far as i know the global statement is doing nothing. Maybe just some left over config.

The use is more evident in a large network. If you don't use a default route pointing back to your internet gateway and you have multiple routers you would need to have routing entries in your routing tables for all possible addresses. Some people don't want that and they also don't want to use a default route so it makes sense to translate all source IP address coming in to a routable subnet on your network.

The reason you may not want to use a default route is security related. If an outside user can gain acccess to your LAN if you have a default route the return packets will automatically be routed back out to the internet. Without a default route the packets would get dropped within your network.

Obviously this is not your first line of defence but mistakes do happen and firewalls can be misconfigured.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Tue, 08/21/2007 - 01:39

Hi

globla (inside) would be used to tranlsate source IP addresses coming from outside the pix firewall into your network. An example would help.

Lets say you have a server that is accessible from the outside which lives on your inside network. Now lets say you allow Aanybody on the internet to access this server. (I'm not saying you would do this but it is just an example)

So the source IP addresses could be any internet address. You may not want these addresses on your internal network. So what you could do is translate all incoming addresses to an address or addresses of your choice eg.

nat (outside) 1 0.0.0.0 0.0.0.0 outside

global (inside) 1 interface

This would translate all incoming source IP addresses from the outside to the inside interface address of the pix.

HTH

Jon

amady3381 Tue, 08/21/2007 - 01:59

Hi Jon

Apprciate yor help !

But the problem is they use it witout the nat (outside) command. see this ex.

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 1 10.0.1.0 255.255.255.0

static (inside,outside) 1.1.1.1 10.0.1.8 netmask 255.255.255.255

Also, what is the use of translating the IPs from outside to inside. Is there any threat could happen to my network without translating from outside to inside.

Thanks and appreciate your help

amady

Correct Answer
Jon Marshall Tue, 08/21/2007 - 02:06

Hi

Without a corresponding NAT statement as far as i know the global statement is doing nothing. Maybe just some left over config.

The use is more evident in a large network. If you don't use a default route pointing back to your internet gateway and you have multiple routers you would need to have routing entries in your routing tables for all possible addresses. Some people don't want that and they also don't want to use a default route so it makes sense to translate all source IP address coming in to a routable subnet on your network.

The reason you may not want to use a default route is security related. If an outside user can gain acccess to your LAN if you have a default route the return packets will automatically be routed back out to the internet. Without a default route the packets would get dropped within your network.

Obviously this is not your first line of defence but mistakes do happen and firewalls can be misconfigured.

HTH

Jon

amady3381 Tue, 08/21/2007 - 02:51

Hi Jon

Sorry I didn't get (misunderstand) your last post. Please clarify it in another way or give me an example, Please.

Thanks and Regards

amady

amady3381 Tue, 08/21/2007 - 03:13

Jon

If an outside user can gain acccess to your LAN if you have a default route the return packets will automatically be routed back out to the internet. Without a default route the packets would get dropped within your network.

Thanks

Jon Marshall Tue, 08/21/2007 - 03:31

Amady

Okay before giving an example you need to understand that this only applies to an internal network that has a number of subnets and the internal network uses router/L3 switches.

if you only have one internal subnet and the default gateway for any clients on that subnet is the inside interface of the ASA/Pix then the example i give is not relevant.

Okay example as follows

inside server address 192.168.5.10/24

Public ip address of server 212.72.1.11

So on your firewall you have an entry

static (inside,outside) 212.72.1.11 192.168.5.10 netmask 255.255.255.255

Your inside interface of the firewall is

192.168.2.1 255.255.255.0

your inside interface has a connection to a router which has an address of 192.168.2.2

On another interface on the same router you have the 192.168.5.0 255.255.255.0 network. The router interface is 192.168.5.1.

Your 192.168.5.10 server has it's default gateway set to 192.168.5.1

On your Pix/ASA you have a route

route (inside) 192.168.5.0 255.255.255.0 192.168.2.2

Right a user on the internet tries to connect to the internal server with ssh

ie. ssh 212.72.1.11

The user device on the internet has the source IP address of 195.17.1.10.

So when the packet arrives at the firewall it has

source IP address 195.17.1.10

destination IP address 212.72.1.11

The firewall NAT's the destination IP address to 192.168.5.10 so now

source IP address 195.17.1.10

destination IP address 192.168.5.10

The firewall now looks up the route for 192.168.5.10 and sends it to 192.168.2.2.

the router now forwards the packet to the 192.168.5.10 server.

So far so good.

The server now sends a return packet back to the client on the internet.

source IP address 192.168.5.1

destination IP address 195.17.1.10

the server packet arrives at the internal router. The router looks up a route for 195.17.1.10 and does not find a route for this host.

Now one of 2 things can happen

i) If you have a default route on your router pointing to the internal interface of the pix/asa then the packet will be forwarded onto the ASA, any natting will take place and then the packet will be forwarded back out to the client.

ii) If the router does not have a default route it drops the packet. So it does not get out of your internal network.

Hope this makes sense

Jon

amady3381 Tue, 08/21/2007 - 09:20

Hi Jon

Regarding these 2 things, I know that it will happen like what you explain.

what I want to know is why I will make natting for the IPs fom outside to inside.

In these two points you are using the internet user public address. Also, If I open the server to be accessible from outside, I should make the default route to internal interface of the pix otherwise it will not be acessible, but I will determine some ports like 80,443,22,.. to be opened.

Finally, your 2 points considerng the user as attaker but If the user is the admin he will not access the server from outside.

I hope you get my question

Thanks very much

I appreciate your help

Amady

Jon Marshall Tue, 08/21/2007 - 12:05

Amady

Apologies for rather long explanation, i'll try and answer your questions better this time.

"Also, If I open the server to be accessible from outside, I should make the default route to internal interface of the pix otherwise it will not be acessible"

Yes you are right in the situation where you can set the default gateway of the server to be the pix but what if the server is not on the subnet that connects to the internal interface of the pix ? That is what i tried to explain in my post about if you just have one subnet connected to the pix then you don't need to worry about default routes etc.

"Finally, your 2 points considerng the user as attaker but If the user is the admin he will not access the server from outside"

Just because the user is not admin does mean they cannot do damage. One of the first things an attacker would try to do if they managed to get access to your machine as a normal user is to escalate their privileges to admin level. It can and has been done many times.

Hope i have answered your questions

Jon

amady3381 Tue, 08/21/2007 - 21:46

Hi Jon

Thanks very much. Please find the attached file.

I will do the routing configuration for the devices in the digram and give me your opinion and find me the threats in this configuration, please.

R1:

ip route 0.0.0.0 0.0.0.0 10.1.1.2

FW:

route (outside) 0.0.0.0 0.0.0.0 195.221.211.1 1

route (inside) 10.1.2.0 255.255.255.0 10.1.1.1 1

route (inside) 10.1.3.0 255.255.255.0 10.1.1.1 1

Static (inside, outside) 195.221.211.15 10.1.3.2

access-list open_outside permit tcp any host 195.221.211.15 eq 80,443,22

access-group interfae outside in

Now, I have two cases:

Outside User = Right User

If the user try to access the server, he will success but if I remove the default route he will not have access so, how can I solve this.

Outside User = Attacker

If the user is attaker he will access the server only through 80,443,22 ports but if I remove the default route it will not work and I will be safe from attakers but the normal and right user will not have access also, so how can I solve this?

Please if you have another configuration for this senario safing me from the attackers and the internet threats please write it for me but without putting the server on the DMZ.

Thanks and Regards

Amady

Actions

This Discussion