Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Spoofing when no ACL / restricted Dynamic NAT

     Looking at an ASA 8.2.1 with the following:

- No ACL (inbound or outbound) applied to the inside interface (no outbound ACL on the outside interface)

- IP reverse path verify not set on any interface

- Internal network (behind inside interface) is privately addressed

- NAT control is not enabled.

- The Dynamic NAT is set using an access list

    global (outside) 1 interface

    nat (inside) 1 access-list MYACL

    access-list MYACL extended permit ip MY_Internal_Net MY_internal_Mask host W.X.Y.Z

My question is whether it is conceivable for someone on the internal network to set a source address that is a publicly routeable address and access the Internet in someway. My thinking being that:

- No ACL has been applied to the inside interface so traffic from higher security level to lower will be permitted; especially given that NAT control has not been enabled.

- Unicast RPF protection is not in place via the reverse path verify command so perhaps someone internally could set their machine to a publcily routeable address and make outbound requests and as long as the source address set is not in use, the traffic may just be routed out by the ASA and returned to it with the response traffic.

Is this possible or is it impossible in this setup for internal hosts to make any kind of connection with remote hosts or to even send traffic to any Internet hosts (without expecting a response)?  Thanks.

4 REPLIES
New Member

Re: Spoofing when no ACL / restricted Dynamic NAT

I've not been able to track down a real answer for this yet. Any thoughts on this would be appreciated. Thanks.

New Member

Spoofing when no ACL / restricted Dynamic NAT

I am thinking that the question boils down to this: if someone were to set themselves an external public IP not in use on an internal device and were to send out requests, would the response from the receiving device find a route back to the request.

VIP Green

Spoofing when no ACL / restricted Dynamic NAT

Theoretically the ASA, in this case, would just forward the packet as any other normal packet.  But the user would have to manipulate the packet a little in order for th PC to send the packet to a default gateway that is not on the same subnet as its own IP.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer

Spoofing when no ACL / restricted Dynamic NAT

Short answer: communication no, sending yes. So I would be in favor of tightening the firewall configuration.

Getting bidirectional communications is not likely in this case because that would depend on the willingness of the upstream routers to send the return traffic back to the non-subnet address; this isn't likely unless you are an autonomous system who can inject BGP routes for darknet R&D.  Security researches publish papers using that tactic.   However, lack of actual ACL rules or RPF is just begging to let compromised hosts emit DDOS traffic with spoofed source addresses, and this configuration would just slide that stuff right out.

-- Jim Leinweber, WI State Lab of Hygiene

234
Views
0
Helpful
4
Replies
CreatePlease to create content