Clarification

Answered Question
Aug 21st, 2007
User Badges:

Hi all


I saw many people write this command in their configuration and I have conflict with it. The command is

global (inside)

I know that we can write


global (outside)

global (DMZ)


to translate the inside IPs but why global (inside). Please clarify this.


Thanks

amady




Correct Answer by Jon Marshall about 9 years 8 months ago

Hi


Without a corresponding NAT statement as far as i know the global statement is doing nothing. Maybe just some left over config.


The use is more evident in a large network. If you don't use a default route pointing back to your internet gateway and you have multiple routers you would need to have routing entries in your routing tables for all possible addresses. Some people don't want that and they also don't want to use a default route so it makes sense to translate all source IP address coming in to a routable subnet on your network.


The reason you may not want to use a default route is security related. If an outside user can gain acccess to your LAN if you have a default route the return packets will automatically be routed back out to the internet. Without a default route the packets would get dropped within your network.


Obviously this is not your first line of defence but mistakes do happen and firewalls can be misconfigured.


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Tue, 08/21/2007 - 01:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


globla (inside) would be used to tranlsate source IP addresses coming from outside the pix firewall into your network. An example would help.


Lets say you have a server that is accessible from the outside which lives on your inside network. Now lets say you allow Aanybody on the internet to access this server. (I'm not saying you would do this but it is just an example)


So the source IP addresses could be any internet address. You may not want these addresses on your internal network. So what you could do is translate all incoming addresses to an address or addresses of your choice eg.


nat (outside) 1 0.0.0.0 0.0.0.0 outside

global (inside) 1 interface


This would translate all incoming source IP addresses from the outside to the inside interface address of the pix.


HTH


Jon

amady3381 Tue, 08/21/2007 - 01:59
User Badges:

Hi Jon


Apprciate yor help !


But the problem is they use it witout the nat (outside) command. see this ex.


global (inside) 1 interface

global (outside) 1 interface


nat (inside) 1 10.0.1.0 255.255.255.0

static (inside,outside) 1.1.1.1 10.0.1.8 netmask 255.255.255.255



Also, what is the use of translating the IPs from outside to inside. Is there any threat could happen to my network without translating from outside to inside.


Thanks and appreciate your help

amady

Correct Answer
Jon Marshall Tue, 08/21/2007 - 02:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Without a corresponding NAT statement as far as i know the global statement is doing nothing. Maybe just some left over config.


The use is more evident in a large network. If you don't use a default route pointing back to your internet gateway and you have multiple routers you would need to have routing entries in your routing tables for all possible addresses. Some people don't want that and they also don't want to use a default route so it makes sense to translate all source IP address coming in to a routable subnet on your network.


The reason you may not want to use a default route is security related. If an outside user can gain acccess to your LAN if you have a default route the return packets will automatically be routed back out to the internet. Without a default route the packets would get dropped within your network.


Obviously this is not your first line of defence but mistakes do happen and firewalls can be misconfigured.


HTH


Jon

amady3381 Tue, 08/21/2007 - 02:51
User Badges:

Hi Jon


Sorry I didn't get (misunderstand) your last post. Please clarify it in another way or give me an example, Please.


Thanks and Regards

amady

Jon Marshall Tue, 08/21/2007 - 03:01
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Amady


Which bit did you not understand ?


Jon

amady3381 Tue, 08/21/2007 - 03:13
User Badges:

Jon


If an outside user can gain acccess to your LAN if you have a default route the return packets will automatically be routed back out to the internet. Without a default route the packets would get dropped within your network.


Thanks

Jon Marshall Tue, 08/21/2007 - 03:31
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Amady


Okay before giving an example you need to understand that this only applies to an internal network that has a number of subnets and the internal network uses router/L3 switches.


if you only have one internal subnet and the default gateway for any clients on that subnet is the inside interface of the ASA/Pix then the example i give is not relevant.


Okay example as follows


inside server address 192.168.5.10/24

Public ip address of server 212.72.1.11


So on your firewall you have an entry


static (inside,outside) 212.72.1.11 192.168.5.10 netmask 255.255.255.255


Your inside interface of the firewall is


192.168.2.1 255.255.255.0


your inside interface has a connection to a router which has an address of 192.168.2.2


On another interface on the same router you have the 192.168.5.0 255.255.255.0 network. The router interface is 192.168.5.1.


Your 192.168.5.10 server has it's default gateway set to 192.168.5.1



On your Pix/ASA you have a route


route (inside) 192.168.5.0 255.255.255.0 192.168.2.2


Right a user on the internet tries to connect to the internal server with ssh


ie. ssh 212.72.1.11


The user device on the internet has the source IP address of 195.17.1.10.


So when the packet arrives at the firewall it has


source IP address 195.17.1.10

destination IP address 212.72.1.11


The firewall NAT's the destination IP address to 192.168.5.10 so now


source IP address 195.17.1.10

destination IP address 192.168.5.10


The firewall now looks up the route for 192.168.5.10 and sends it to 192.168.2.2.


the router now forwards the packet to the 192.168.5.10 server.


So far so good.


The server now sends a return packet back to the client on the internet.


source IP address 192.168.5.1

destination IP address 195.17.1.10


the server packet arrives at the internal router. The router looks up a route for 195.17.1.10 and does not find a route for this host.


Now one of 2 things can happen


i) If you have a default route on your router pointing to the internal interface of the pix/asa then the packet will be forwarded onto the ASA, any natting will take place and then the packet will be forwarded back out to the client.


ii) If the router does not have a default route it drops the packet. So it does not get out of your internal network.


Hope this makes sense


Jon

amady3381 Tue, 08/21/2007 - 09:20
User Badges:

Hi Jon


Regarding these 2 things, I know that it will happen like what you explain.


what I want to know is why I will make natting for the IPs fom outside to inside.


In these two points you are using the internet user public address. Also, If I open the server to be accessible from outside, I should make the default route to internal interface of the pix otherwise it will not be acessible, but I will determine some ports like 80,443,22,.. to be opened.


Finally, your 2 points considerng the user as attaker but If the user is the admin he will not access the server from outside.


I hope you get my question


Thanks very much

I appreciate your help


Amady

Jon Marshall Tue, 08/21/2007 - 12:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Amady


Apologies for rather long explanation, i'll try and answer your questions better this time.


"Also, If I open the server to be accessible from outside, I should make the default route to internal interface of the pix otherwise it will not be acessible"


Yes you are right in the situation where you can set the default gateway of the server to be the pix but what if the server is not on the subnet that connects to the internal interface of the pix ? That is what i tried to explain in my post about if you just have one subnet connected to the pix then you don't need to worry about default routes etc.


"Finally, your 2 points considerng the user as attaker but If the user is the admin he will not access the server from outside"


Just because the user is not admin does mean they cannot do damage. One of the first things an attacker would try to do if they managed to get access to your machine as a normal user is to escalate their privileges to admin level. It can and has been done many times.


Hope i have answered your questions


Jon


amady3381 Tue, 08/21/2007 - 21:46
User Badges:

Hi Jon


Thanks very much. Please find the attached file.


I will do the routing configuration for the devices in the digram and give me your opinion and find me the threats in this configuration, please.


R1:

ip route 0.0.0.0 0.0.0.0 10.1.1.2


FW:


route (outside) 0.0.0.0 0.0.0.0 195.221.211.1 1


route (inside) 10.1.2.0 255.255.255.0 10.1.1.1 1


route (inside) 10.1.3.0 255.255.255.0 10.1.1.1 1


Static (inside, outside) 195.221.211.15 10.1.3.2


access-list open_outside permit tcp any host 195.221.211.15 eq 80,443,22


access-group interfae outside in


Now, I have two cases:


Outside User = Right User


If the user try to access the server, he will success but if I remove the default route he will not have access so, how can I solve this.


Outside User = Attacker


If the user is attaker he will access the server only through 80,443,22 ports but if I remove the default route it will not work and I will be safe from attakers but the normal and right user will not have access also, so how can I solve this?


Please if you have another configuration for this senario safing me from the attackers and the internet threats please write it for me but without putting the server on the DMZ.


Thanks and Regards

Amady



Actions

This Discussion