PIX firewall PAT & Static Translations

mvhurley9 · ‎04-04-2008

Hi,

This weekend I'm migrating a Netscreen's firewall rules to a PIX .

I was hoping someone can take a look at what I plan on doing and let me know if there are any possible issues. I am not so much concerned with the issues of in-bound security. More in the use of PAT and the statics overlapping the PAT range. In examples I've seen the NAT or PAT range/pool is separate from the in-bound IPs.

The config is listed below.

I will be using a single PAT address to allow the office network out-bound access to the internet. I will be implementing static translations and access lists to allow in-bound traffic reach some servers on the office LAN.

I was wondering if there could be any issues because my PAT statement is for the whole class C (the office LAN) and the in-bound static translations are to various IPs in that same class C range.

I was told the internal servers will not initiate out-bound requests, but I'm not sure of that. If the servers were to attempt an outside connection, would they use the static translations or the PAT statement?

Thanks,

Michael

interface Ethernet0

nameif outside_net

security-level 0

ip address 2.100.211.40 255.255.255.0

interface Ethernet1

nameif internal_net

security-level 100

ip address 10.11.28.100 255.255.255.0

PAT FOR THE OFFICE LAN IPs

nat (internal_net) 1 0.0.0.0 0.0.0.0

global (outside_net) 1 interface

access-list internal_net_access_in extended permit ip any any

access-list outside_net_access_in extended permit udp any host 2.100.211.44 eq pptp

access-list outside_net_access_in extended permit tcp any host 2.100.211.44 eq https

access-list outside_net_access_in extended permit tcp any host 2.100.211.45 eq https

access-list outside_net_access_in extended permit tcp any host 2.100.211.76 eq ssh

access-list outside_net_access_in extended permit tcp any host 2.100.211.54 eq ssh

STATIC's for in-bound server access

static (internal_net, outside_net) 2.100.211.44 10.11.28.10

static (internal_net, outside_net) 2.100.211.45 10.11.28.23

static (internal_net, outside_net) 2.100.211.76 10.11.28.240

static (internal_net, outside_net) 2.100.211.54 10.11.28.14

route outside_net 0.0.0.0 0.0.0.0 2.100.211.1

access-group outside_net_access_in in interface outside_net

access-group internal_net_access_in in interface internal_net

JORGE RODRIGUEZ · ‎04-04-2008

nat (internal_net) 1 0.0.0.0 0.0.0.0

global (outside_net) 1 interface

Above you have the most basic oubound traffic well covered for any inside class network to be PATed for outbound internet.

was told the internal servers will not initiate out-bound requests, but I'm not sure of that. If the servers were to attempt an outside connection, would they use the static translations or the PAT statement?

Servers will use their static public IP also for outbound connections, not PAT.

More in the use of PAT and the statics overlapping the PAT range. In examples I've seen the NAT or PAT range/pool is separate from the in-bound IPs

It does not matter, you can have a pool of public IPs for PATing but they cannot be used as static mappings, you can have static NATs mappings in any order withing your public IP block but as long you designate static mapping to local hosts you cannot use them as dynamic Pools as you will have overlapping errors or the PIX/ASA will not let you do it anyways .

Overall you have it covered for inbound tcp services on your servers.

Rgds

Jorge

Jorge Rodriguez

mvhurley9 · ‎04-05-2008

Jorge, Abhishek,

Thanks for your reviews and comments. I will sleep better tonight.

Michael

abhisheksen · ‎04-04-2008

Hi Michael,

Your configuration is perfectly ok.The static statement overlaps the PAT statement.So your servers are going through static NAT.You can also verify this by issueing these commands:

sh xlate

sh connections

sh local hosts

thease will show your local to global translations.

Hope this will help you.

cisco24x7 · ‎04-05-2008

Your configuration is NOT ok. This configuration has a

lot of security risk implication by this:

access-list internal_net_access_in extended permit ip any any

access-list outside_net_access_in extended permit tcp any host 2.100.211.76 eq ssh

access-list outside_net_access_in extended permit tcp any host 2.100.211.54 eq ssh

access-group outside_net_access_in in interface outside_net

access-group internal_net_access_in in interface internal_net

Let say host 2.100.211.54 or .76 is compromised by an attacker.

Once this attacker gains control of the host, he will UN-restricted

access to ANYWHERE. Is that what you want? Let say you have

a VPN tunnel between your network and your partner, he can attack

your partner also. This is NOT how you configure firewalls.

my 2c

CCIE Security

mvhurley9 · ‎04-05-2008

Thank you for the comment.

Yes! I hear you and I have mentioned this to the person I am working with and pointed out in detail the pitfalls. They say that eventually the servers will be moved to a protected CoLo.

I'm just a temp at this company so I can only do so much.

Unless you would prefer me not to, I may pass on your posted comments.

Thanks,

Michael

cisco24x7 · ‎04-05-2008

I do not mind.

This is one the many things I do not like

about Pix/ASA. Basically, the minute you put

on "inside" and "outside" in interfaces, hosts

residing on higher security interface can

attack hosts residing on lower security

interface, by default.

Pix is the only security device I know of that

does this.