08-21-2007 12:34 AM - edited 03-09-2019 06:39 PM
Hi all
I saw many people write this command in their configuration and I have conflict with it. The command is
global (inside)
I know that we can write
global (outside)
global (DMZ)
to translate the inside IPs but why global (inside). Please clarify this.
Thanks
amady
Solved! Go to Solution.
08-21-2007 02:06 AM
Hi
Without a corresponding NAT statement as far as i know the global statement is doing nothing. Maybe just some left over config.
The use is more evident in a large network. If you don't use a default route pointing back to your internet gateway and you have multiple routers you would need to have routing entries in your routing tables for all possible addresses. Some people don't want that and they also don't want to use a default route so it makes sense to translate all source IP address coming in to a routable subnet on your network.
The reason you may not want to use a default route is security related. If an outside user can gain acccess to your LAN if you have a default route the return packets will automatically be routed back out to the internet. Without a default route the packets would get dropped within your network.
Obviously this is not your first line of defence but mistakes do happen and firewalls can be misconfigured.
HTH
Jon
08-21-2007 01:39 AM
Hi
globla (inside) would be used to tranlsate source IP addresses coming from outside the pix firewall into your network. An example would help.
Lets say you have a server that is accessible from the outside which lives on your inside network. Now lets say you allow Aanybody on the internet to access this server. (I'm not saying you would do this but it is just an example)
So the source IP addresses could be any internet address. You may not want these addresses on your internal network. So what you could do is translate all incoming addresses to an address or addresses of your choice eg.
nat (outside) 1 0.0.0.0 0.0.0.0 outside
global (inside) 1 interface
This would translate all incoming source IP addresses from the outside to the inside interface address of the pix.
HTH
Jon
08-21-2007 01:59 AM
Hi Jon
Apprciate yor help !
But the problem is they use it witout the nat (outside) command. see this ex.
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 10.0.1.0 255.255.255.0
static (inside,outside) 1.1.1.1 10.0.1.8 netmask 255.255.255.255
Also, what is the use of translating the IPs from outside to inside. Is there any threat could happen to my network without translating from outside to inside.
Thanks and appreciate your help
amady
08-21-2007 02:06 AM
Hi
Without a corresponding NAT statement as far as i know the global statement is doing nothing. Maybe just some left over config.
The use is more evident in a large network. If you don't use a default route pointing back to your internet gateway and you have multiple routers you would need to have routing entries in your routing tables for all possible addresses. Some people don't want that and they also don't want to use a default route so it makes sense to translate all source IP address coming in to a routable subnet on your network.
The reason you may not want to use a default route is security related. If an outside user can gain acccess to your LAN if you have a default route the return packets will automatically be routed back out to the internet. Without a default route the packets would get dropped within your network.
Obviously this is not your first line of defence but mistakes do happen and firewalls can be misconfigured.
HTH
Jon
08-21-2007 02:51 AM
Hi Jon
Sorry I didn't get (misunderstand) your last post. Please clarify it in another way or give me an example, Please.
Thanks and Regards
amady
08-21-2007 03:01 AM
Amady
Which bit did you not understand ?
Jon
08-21-2007 03:13 AM
Jon
If an outside user can gain acccess to your LAN if you have a default route the return packets will automatically be routed back out to the internet. Without a default route the packets would get dropped within your network.
Thanks
08-21-2007 03:31 AM
Amady
Okay before giving an example you need to understand that this only applies to an internal network that has a number of subnets and the internal network uses router/L3 switches.
if you only have one internal subnet and the default gateway for any clients on that subnet is the inside interface of the ASA/Pix then the example i give is not relevant.
Okay example as follows
inside server address 192.168.5.10/24
Public ip address of server 212.72.1.11
So on your firewall you have an entry
static (inside,outside) 212.72.1.11 192.168.5.10 netmask 255.255.255.255
Your inside interface of the firewall is
192.168.2.1 255.255.255.0
your inside interface has a connection to a router which has an address of 192.168.2.2
On another interface on the same router you have the 192.168.5.0 255.255.255.0 network. The router interface is 192.168.5.1.
Your 192.168.5.10 server has it's default gateway set to 192.168.5.1
On your Pix/ASA you have a route
route (inside) 192.168.5.0 255.255.255.0 192.168.2.2
Right a user on the internet tries to connect to the internal server with ssh
ie. ssh 212.72.1.11
The user device on the internet has the source IP address of 195.17.1.10.
So when the packet arrives at the firewall it has
source IP address 195.17.1.10
destination IP address 212.72.1.11
The firewall NAT's the destination IP address to 192.168.5.10 so now
source IP address 195.17.1.10
destination IP address 192.168.5.10
The firewall now looks up the route for 192.168.5.10 and sends it to 192.168.2.2.
the router now forwards the packet to the 192.168.5.10 server.
So far so good.
The server now sends a return packet back to the client on the internet.
source IP address 192.168.5.1
destination IP address 195.17.1.10
the server packet arrives at the internal router. The router looks up a route for 195.17.1.10 and does not find a route for this host.
Now one of 2 things can happen
i) If you have a default route on your router pointing to the internal interface of the pix/asa then the packet will be forwarded onto the ASA, any natting will take place and then the packet will be forwarded back out to the client.
ii) If the router does not have a default route it drops the packet. So it does not get out of your internal network.
Hope this makes sense
Jon
08-21-2007 09:20 AM
Hi Jon
Regarding these 2 things, I know that it will happen like what you explain.
what I want to know is why I will make natting for the IPs fom outside to inside.
In these two points you are using the internet user public address. Also, If I open the server to be accessible from outside, I should make the default route to internal interface of the pix otherwise it will not be acessible, but I will determine some ports like 80,443,22,.. to be opened.
Finally, your 2 points considerng the user as attaker but If the user is the admin he will not access the server from outside.
I hope you get my question
Thanks very much
I appreciate your help
Amady
08-21-2007 12:05 PM
Amady
Apologies for rather long explanation, i'll try and answer your questions better this time.
"Also, If I open the server to be accessible from outside, I should make the default route to internal interface of the pix otherwise it will not be acessible"
Yes you are right in the situation where you can set the default gateway of the server to be the pix but what if the server is not on the subnet that connects to the internal interface of the pix ? That is what i tried to explain in my post about if you just have one subnet connected to the pix then you don't need to worry about default routes etc.
"Finally, your 2 points considerng the user as attaker but If the user is the admin he will not access the server from outside"
Just because the user is not admin does mean they cannot do damage. One of the first things an attacker would try to do if they managed to get access to your machine as a normal user is to escalate their privileges to admin level. It can and has been done many times.
Hope i have answered your questions
Jon
08-21-2007 09:46 PM
Hi Jon
Thanks very much. Please find the attached file.
I will do the routing configuration for the devices in the digram and give me your opinion and find me the threats in this configuration, please.
R1:
ip route 0.0.0.0 0.0.0.0 10.1.1.2
FW:
route (outside) 0.0.0.0 0.0.0.0 195.221.211.1 1
route (inside) 10.1.2.0 255.255.255.0 10.1.1.1 1
route (inside) 10.1.3.0 255.255.255.0 10.1.1.1 1
Static (inside, outside) 195.221.211.15 10.1.3.2
access-list open_outside permit tcp any host 195.221.211.15 eq 80,443,22
access-group interfae outside in
Now, I have two cases:
Outside User = Right User
If the user try to access the server, he will success but if I remove the default route he will not have access so, how can I solve this.
Outside User = Attacker
If the user is attaker he will access the server only through 80,443,22 ports but if I remove the default route it will not work and I will be safe from attakers but the normal and right user will not have access also, so how can I solve this?
Please if you have another configuration for this senario safing me from the attackers and the internet threats please write it for me but without putting the server on the DMZ.
Thanks and Regards
Amady
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide