Solved: Inbound rule for outside global address?

rcoote5902_2 · ‎02-16-2010

We have a vendor who we're working with for some financial software. They've provided me a list of ports that they claim need to be opened inbound which has me a little concerned since there is no reason for any of their servers to initiate a connection to us. The other strange (at least to my limited knowledge of firewalls) is that they've requested these ports be opened to our outside global address. Does this make sense? I'm blocking outbound traffic to a very limited number of ports so any outbound requests to their servers are stateful and should come back to whatever host originated the connection.

Is there any valid reason why they would need these ports opened inbound? This is a Pix 515E.

Here's the pertinent config info - ip's are edited for security:

global (outside) 1 199.99.99.99
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit tcp host 199.99.99.99 eq 448 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 449 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 992 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 5556 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 9470 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 9471 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 9472 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 9473 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 9474 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 9475 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 9476 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 9480 host 67.67.67.67

Jon Marshall · ‎02-16-2010

rcoote5902 wrote:

Thanks Jon, lots of points coming your way.

So to summarize and correct me if I'm wrong here...

1) If this is for outbound ports - I don't need to do anything assuming I'm not actively blocking those ports.

2) If this is for inbound ports - it doesn't make any sense.

1) correct

2) correct again

Glad to have helped and thanks for the ratings.

Jon

View solution in original post

Jon Marshall · ‎02-16-2010

rcoote5902 wrote:

We have a vendor who we're working with for some financial software. They've provided me a list of ports that they claim need to be opened inbound which has me a little concerned since there is no reason for any of their servers to initiate a connection to us. The other strange (at least to my limited knowledge of firewalls) is that they've requested these ports be opened to our outside global address. Does this make sense? I'm blocking outbound traffic to a very limited number of ports so any outbound requests to their servers are stateful and should come back to whatever host originated the connection.

Is there any valid reason why they would need these ports opened inbound? This is a Pix 515E.

Here's the pertinent config info - ip's are edited for security:

global (outside) 1 199.99.99.99
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit tcp host 199.99.99.99 eq 448 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 449 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 992 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 5556 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 9470 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 9471 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 9472 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 9473 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 9474 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 9475 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 9476 host 67.67.67.67
conduit permit tcp host 199.99.99.99 eq 9480 host 67.67.67.67

Do you have static NAT/PAT mappings for these conduit entries ? ie.

conduit permit tcp host 199.99.99.99 eq 448 host 67.67.67.67

do you have a corresponding static statement - something like -

static (inside,outside) tcp 199.99.99.99 448 192.168.5.10 448 <-- where 192.168.5.10 is the internal address of the server.

Without a corresponding static for the conduit statements then no it doesn't make much sense to me because it won't work. More importantly are you meant to be allowing any traffic to be initiated from the vendor to your internal servers ?

By the way, had to look up "conduit" syntax in pix command reference as it's been so long since i last used it

Jon

rcoote5902_2 · ‎02-16-2010

No there are no corresponding static statements because the 199.99.99.99 is our outside global address for PAT. All of our hosts use that IP for outside traversal. Which is also why it doesn't make any sense to me.

I know, it's an old box but I have a new ASA sitting on my desk ready to go in.

Jon Marshall · ‎02-16-2010

rcoote5902 wrote:
No there are no corresponding static statements because the 199.99.99.99 is our outside global address for PAT.  All of our hosts use that IP for outside traversal.  Which is also why it doesn't make any sense to me.
I know, it's an old box but I have a new ASA sitting on my desk ready to go in.

If there are no static statements then it really makes no sense. Perhaps you could ask the vendor what the purpose of the request is.

Jon

rcoote5902_2 · ‎02-16-2010

We can't seem to get to a level of support with this vendor that would allow us to ask the right questions. All we have from them is a sheet of "Ports that need to be open" for our firewall.

I assumed this mean outbound - which in a stateful environment with very few outbound ports being blocked, should mean I don't really need to do anything. However someone on their end said these conduits needed to be added (while I was out on vacation) and one of the other guys in my office added them.

The problem is these ports need to be accessable to multiple hosts, so the static entries won't really work anyway. I'm not even really convinced that any of their servers need to initiate a connection into us.

So, this begs the question...if I need to add inbound rules to allow these ports to all hosts on our network (ugh!) how would I do that? I'm not sure a "conduit permit any any" is such a hot idea...

Jon Marshall · ‎02-16-2010

rcoote5902 wrote:
We can't seem to get to a level of support with this vendor that would allow us to ask the right questions.  All we have from them is a sheet of "Ports that need to be open" for our firewall.
I assumed this mean outbound - which in a stateful environment with very few outbound ports being blocked, should mean I don't really need to do anything.  However someone on their end said these conduits needed to be added (while I was out on vacation) and one of the other guys in my office added them.
The problem is these ports need to be accessable to multiple hosts, so the static entries won't really work anyway.  I'm not even really convinced that any of their servers need to initiate a connection into us.
So, this begs the question...if I need to add inbound rules to allow these ports to all hosts on our network (ugh!) how would I do that?  I'm not sure a "conduit permit any any" is such a hot idea...

Never mind the "conduit permit any any" you would need static translations on your firewall for every host in your network which

a) isn't practical

b) never seen this done before. Anyway surely not all hosts would be running these ports, if any, so i'm still struggling to see the point.

Jon

rcoote5902_2 · ‎02-16-2010

Thanks Jon, lots of points coming your way.

So to summarize and correct me if I'm wrong here...

1) If this is for outbound ports - I don't need to do anything assuming I'm not actively blocking those ports.

2) If this is for inbound ports - it doesn't make any sense.

Jon Marshall · ‎02-16-2010

rcoote5902 wrote:

Thanks Jon, lots of points coming your way.

So to summarize and correct me if I'm wrong here...

1) If this is for outbound ports - I don't need to do anything assuming I'm not actively blocking those ports.

2) If this is for inbound ports - it doesn't make any sense.

1) correct

2) correct again

Glad to have helped and thanks for the ratings.

Jon