04-04-2008 09:10 PM - edited 03-11-2019 05:27 AM
Hi,
This weekend I'm migrating a Netscreen's firewall rules to a PIX .
I was hoping someone can take a look at what I plan on doing and let me know if there are any possible issues. I am not so much concerned with the issues of in-bound security. More in the use of PAT and the statics overlapping the PAT range. In examples I've seen the NAT or PAT range/pool is separate from the in-bound IPs.
The config is listed below.
I will be using a single PAT address to allow the office network out-bound access to the internet. I will be implementing static translations and access lists to allow in-bound traffic reach some servers on the office LAN.
I was wondering if there could be any issues because my PAT statement is for the whole class C (the office LAN) and the in-bound static translations are to various IPs in that same class C range.
I was told the internal servers will not initiate out-bound requests, but I'm not sure of that. If the servers were to attempt an outside connection, would they use the static translations or the PAT statement?
Thanks,
Michael
interface Ethernet0
nameif outside_net
security-level 0
ip address 2.100.211.40 255.255.255.0
interface Ethernet1
nameif internal_net
security-level 100
ip address 10.11.28.100 255.255.255.0
PAT FOR THE OFFICE LAN IPs
nat (internal_net) 1 0.0.0.0 0.0.0.0
global (outside_net) 1 interface
access-list internal_net_access_in extended permit ip any any
access-list outside_net_access_in extended permit udp any host 2.100.211.44 eq pptp
access-list outside_net_access_in extended permit tcp any host 2.100.211.44 eq https
access-list outside_net_access_in extended permit tcp any host 2.100.211.45 eq https
access-list outside_net_access_in extended permit tcp any host 2.100.211.76 eq ssh
access-list outside_net_access_in extended permit tcp any host 2.100.211.54 eq ssh
STATIC's for in-bound server access
static (internal_net, outside_net) 2.100.211.44 10.11.28.10
static (internal_net, outside_net) 2.100.211.45 10.11.28.23
static (internal_net, outside_net) 2.100.211.76 10.11.28.240
static (internal_net, outside_net) 2.100.211.54 10.11.28.14
route outside_net 0.0.0.0 0.0.0.0 2.100.211.1
access-group outside_net_access_in in interface outside_net
access-group internal_net_access_in in interface internal_net
04-04-2008 10:02 PM
nat (internal_net) 1 0.0.0.0 0.0.0.0
global (outside_net) 1 interface
Above you have the most basic oubound traffic well covered for any inside class network to be PATed for outbound internet.
was told the internal servers will not initiate out-bound requests, but I'm not sure of that. If the servers were to attempt an outside connection, would they use the static translations or the PAT statement?
Servers will use their static public IP also for outbound connections, not PAT.
More in the use of PAT and the statics overlapping the PAT range. In examples I've seen the NAT or PAT range/pool is separate from the in-bound IPs
It does not matter, you can have a pool of public IPs for PATing but they cannot be used as static mappings, you can have static NATs mappings in any order withing your public IP block but as long you designate static mapping to local hosts you cannot use them as dynamic Pools as you will have overlapping errors or the PIX/ASA will not let you do it anyways .
Overall you have it covered for inbound tcp services on your servers.
Rgds
Jorge
04-05-2008 08:28 AM
Jorge, Abhishek,
Thanks for your reviews and comments. I will sleep better tonight.
Michael
04-04-2008 10:20 PM
Hi Michael,
Your configuration is perfectly ok.The static statement overlaps the PAT statement.So your servers are going through static NAT.You can also verify this by issueing these commands:
sh xlate
sh connections
sh local hosts
thease will show your local to global translations.
Hope this will help you.
04-05-2008 09:21 AM
Your configuration is NOT ok. This configuration has a
lot of security risk implication by this:
access-list internal_net_access_in extended permit ip any any
access-list outside_net_access_in extended permit tcp any host 2.100.211.76 eq ssh
access-list outside_net_access_in extended permit tcp any host 2.100.211.54 eq ssh
access-group outside_net_access_in in interface outside_net
access-group internal_net_access_in in interface internal_net
Let say host 2.100.211.54 or .76 is compromised by an attacker.
Once this attacker gains control of the host, he will UN-restricted
access to ANYWHERE. Is that what you want? Let say you have
a VPN tunnel between your network and your partner, he can attack
your partner also. This is NOT how you configure firewalls.
my 2c
CCIE Security
04-05-2008 09:29 AM
Thank you for the comment.
Yes! I hear you and I have mentioned this to the person I am working with and pointed out in detail the pitfalls. They say that eventually the servers will be moved to a protected CoLo.
I'm just a temp at this company so I can only do so much.
Unless you would prefer me not to, I may pass on your posted comments.
Thanks,
Michael
04-05-2008 09:50 AM
I do not mind.
This is one the many things I do not like
about Pix/ASA. Basically, the minute you put
on "inside" and "outside" in interfaces, hosts
residing on higher security interface can
attack hosts residing on lower security
interface, by default.
Pix is the only security device I know of that
does this.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: