Hi Jon

Apprciate yor help !

But the problem is they use it witout the nat (outside) command. see this ex.

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 1 10.0.1.0 255.255.255.0

static (inside,outside) 1.1.1.1 10.0.1.8 netmask 255.255.255.255

Also, what is the use of translating the IPs from outside to inside. Is there any threat could happen to my network without translating from outside to inside.

Thanks and appreciate your help

amady

Hi Jon

Sorry I didn't get (misunderstand) your last post. Please clarify it in another way or give me an example, Please.

Thanks and Regards

amady

Amady

Which bit did you not understand ?

Jon

Jon

If an outside user can gain acccess to your LAN if you have a default route the return packets will automatically be routed back out to the internet. Without a default route the packets would get dropped within your network.

Thanks

Amady

Okay before giving an example you need to understand that this only applies to an internal network that has a number of subnets and the internal network uses router/L3 switches.

if you only have one internal subnet and the default gateway for any clients on that subnet is the inside interface of the ASA/Pix then the example i give is not relevant.

Okay example as follows

inside server address 192.168.5.10/24

Public ip address of server 212.72.1.11

So on your firewall you have an entry

static (inside,outside) 212.72.1.11 192.168.5.10 netmask 255.255.255.255

Your inside interface of the firewall is

192.168.2.1 255.255.255.0

your inside interface has a connection to a router which has an address of 192.168.2.2

On another interface on the same router you have the 192.168.5.0 255.255.255.0 network. The router interface is 192.168.5.1.

Your 192.168.5.10 server has it's default gateway set to 192.168.5.1

On your Pix/ASA you have a route

route (inside) 192.168.5.0 255.255.255.0 192.168.2.2

Right a user on the internet tries to connect to the internal server with ssh

ie. ssh 212.72.1.11

The user device on the internet has the source IP address of 195.17.1.10.

So when the packet arrives at the firewall it has

source IP address 195.17.1.10

destination IP address 212.72.1.11

The firewall NAT's the destination IP address to 192.168.5.10 so now

source IP address 195.17.1.10

destination IP address 192.168.5.10

The firewall now looks up the route for 192.168.5.10 and sends it to 192.168.2.2.

the router now forwards the packet to the 192.168.5.10 server.

So far so good.

The server now sends a return packet back to the client on the internet.

source IP address 192.168.5.1

destination IP address 195.17.1.10

the server packet arrives at the internal router. The router looks up a route for 195.17.1.10 and does not find a route for this host.

Now one of 2 things can happen

i) If you have a default route on your router pointing to the internal interface of the pix/asa then the packet will be forwarded onto the ASA, any natting will take place and then the packet will be forwarded back out to the client.

ii) If the router does not have a default route it drops the packet. So it does not get out of your internal network.

Hope this makes sense

Jon

Hi Jon

Regarding these 2 things, I know that it will happen like what you explain.

what I want to know is why I will make natting for the IPs fom outside to inside.

In these two points you are using the internet user public address. Also, If I open the server to be accessible from outside, I should make the default route to internal interface of the pix otherwise it will not be acessible, but I will determine some ports like 80,443,22,.. to be opened.

Finally, your 2 points considerng the user as attaker but If the user is the admin he will not access the server from outside.

I hope you get my question

Thanks very much

I appreciate your help

Amady

Amady

Apologies for rather long explanation, i'll try and answer your questions better this time.

"Also, If I open the server to be accessible from outside, I should make the default route to internal interface of the pix otherwise it will not be acessible"

Yes you are right in the situation where you can set the default gateway of the server to be the pix but what if the server is not on the subnet that connects to the internal interface of the pix ? That is what i tried to explain in my post about if you just have one subnet connected to the pix then you don't need to worry about default routes etc.

"Finally, your 2 points considerng the user as attaker but If the user is the admin he will not access the server from outside"

Just because the user is not admin does mean they cannot do damage. One of the first things an attacker would try to do if they managed to get access to your machine as a normal user is to escalate their privileges to admin level. It can and has been done many times.

Hope i have answered your questions

Jon

Hi Jon

Thanks very much. Please find the attached file.

I will do the routing configuration for the devices in the digram and give me your opinion and find me the threats in this configuration, please.

R1:

ip route 0.0.0.0 0.0.0.0 10.1.1.2

FW:

route (outside) 0.0.0.0 0.0.0.0 195.221.211.1 1

route (inside) 10.1.2.0 255.255.255.0 10.1.1.1 1

route (inside) 10.1.3.0 255.255.255.0 10.1.1.1 1

Static (inside, outside) 195.221.211.15 10.1.3.2

access-list open_outside permit tcp any host 195.221.211.15 eq 80,443,22

access-group interfae outside in

Now, I have two cases:

Outside User = Right User

If the user try to access the server, he will success but if I remove the default route he will not have access so, how can I solve this.

Outside User = Attacker

If the user is attaker he will access the server only through 80,443,22 ports but if I remove the default route it will not work and I will be safe from attakers but the normal and right user will not have access also, so how can I solve this?

Please if you have another configuration for this senario safing me from the attackers and the internet threats please write it for me but without putting the server on the DMZ.

Thanks and Regards

Amady