- No ACL (inbound or outbound) applied to the inside interface (no outbound ACL on the outside interface)
- IP reverse path verify not set on any interface
- Internal network (behind inside interface) is privately addressed
- NAT control is not enabled.
- The Dynamic NAT is set using an access list
global (outside) 1 interface
nat (inside) 1 access-list MYACL
access-list MYACL extended permit ip MY_Internal_Net MY_internal_Mask host W.X.Y.Z
My question is whether it is conceivable for someone on the internal network to set a source address that is a publicly routeable address and access the Internet in someway. My thinking being that:
- No ACL has been applied to the inside interface so traffic from higher security level to lower will be permitted; especially given that NAT control has not been enabled.
- Unicast RPF protection is not in place via the reverse path verify command so perhaps someone internally could set their machine to a publcily routeable address and make outbound requests and as long as the source address set is not in use, the traffic may just be routed out by the ASA and returned to it with the response traffic.
Is this possible or is it impossible in this setup for internal hosts to make any kind of connection with remote hosts or to even send traffic to any Internet hosts (without expecting a response)? Thanks.
I am thinking that the question boils down to this: if someone were to set themselves an external public IP not in use on an internal device and were to send out requests, would the response from the receiving device find a route back to the request.
Theoretically the ASA, in this case, would just forward the packet as any other normal packet. But the user would have to manipulate the packet a little in order for th PC to send the packet to a default gateway that is not on the same subnet as its own IP.
-- Please remember to rate and select a correct answer
Please remember to rate and select a correct answer
Short answer: communication no, sending yes. So I would be in favor of tightening the firewall configuration.
Getting bidirectional communications is not likely in this case because that would depend on the willingness of the upstream routers to send the return traffic back to the non-subnet address; this isn't likely unless you are an autonomous system who can inject BGP routes for darknet R&D. Security researches publish papers using that tactic. However, lack of actual ACL rules or RPF is just begging to let compromised hosts emit DDOS traffic with spoofed source addresses, and this configuration would just slide that stuff right out.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :