Using both public and private networks via NAT 0, with security!

Discussion in 'Cisco' started by Paul C., Apr 7, 2004.

  1. Paul C.

    Paul C. Guest

    I've been banging my head on the wall in regards to this. Here's our
    basic network setup:

    Internet --> Edge router --> PIX public int --> PIX private int -->
    Internal router

    The internal router is running a large number of vlans, in both our
    public Internet routable address space and RFC 1918 space. For ease
    of use, lets call our private space 10.1.0.0/16 and pretend our public
    space is 172.16.0.0/16.

    We're needing to non-translate IP's in our public block (as well as
    permit inbound access to them from the outside, filtered only by
    ACL's) and NAT the private IP's using pools of different class C's of
    our public space.

    This basically works using NAT 0, but the problem is that it creates
    a security issue; as long as the private hosts have translation table
    entries, outside entities can portscan our public /16, and the inside
    private 10.1.0.0/16 hosts show that portscan activity in their
    logfiles. Basically our private hosts are no longer secure.

    Ex:

    So that our public /16 can access the net:

    nat (inside) 0 access-list NO-NAT
    access-list NO-NAT; 1 elements
    access-list NO-NAT line 1 permit ip 172.16.0.0 255.255.0.0 any

    For the class C 10.1.1.0 to be NAT'ed:

    nat (inside) 1 10.1.1.0 255.255.255.0
    global (outside) 1 172.16.1.11-172.16.1.244 netmask 255.255.255.0

    Like I said; all you have to do from the Internet is portscan
    172.16.1.0/24, and any private host with translation entries gets
    scanned. I want the private hosts to still be able to be NAT'ed and
    get outside, but still have the security in place that unrequested
    inbound activity to that private is not permitted.

    Also, our public network needs to have both outbound AND inbound
    traffic allowed unless otherwise denied by our ACL policy. Here's
    what I've thought *might* work, but I can't try it in production:

    nat (inside) 0 172.16.0.0 255.255.0.0
    (to permit outbound access without NAT'ing)

    static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
    (to permit inbound access to public space, though still protected by
    the ACL).

    nat (inside) 1 10.1.1.0 255.255.255.0
    global (outside) 1 172.16.1.11-172.16.1.244 netmask 255.255.255.0

    Does anyone know if this will work, or am I still gonna get the same
    portscan activity on the private networks?
     
    Paul C., Apr 7, 2004
    #1
    1. Advertising

  2. Paul C.

    hgreenblatt Guest

    Paul,
    I may not get this quite right, but I think it will get you started. The
    nat0 sounds like the problem. Going thru the firewall all addresses have to
    be translate (even to themselves hence your Nat 0), but you could also do
    something like

    static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
    actually I hate when books use private addresses(RFC1918) to describe the
    public so lets say your network is really 24.90/16 (pardons to RoadRunner)
    static (inside,outside) 24.90.0.0 24.90.0.0 netmask 255.255.0.0

    The way the Pix works is that the static has higher priority than nat (but
    not nat0). Using the static above , and taking out the nat 0, your
    access-list should work fine, and the only ports that the outside can see
    will be those that you allow. The firewall is statefull, so starting a
    conversation from inside is fine.

    If anyone wants to correct me please do, I have only been doing this a few
    months.

    Howie




    "Paul C." <> wrote in message
    news:...
    > I've been banging my head on the wall in regards to this. Here's our
    > basic network setup:
    >
    > Internet --> Edge router --> PIX public int --> PIX private int -->
    > Internal router
    >
    > The internal router is running a large number of vlans, in both our
    > public Internet routable address space and RFC 1918 space. For ease
    > of use, lets call our private space 10.1.0.0/16 and pretend our public
    > space is 172.16.0.0/16.
    >
    > We're needing to non-translate IP's in our public block (as well as
    > permit inbound access to them from the outside, filtered only by
    > ACL's) and NAT the private IP's using pools of different class C's of
    > our public space.
    >
    > This basically works using NAT 0, but the problem is that it creates
    > a security issue; as long as the private hosts have translation table
    > entries, outside entities can portscan our public /16, and the inside
    > private 10.1.0.0/16 hosts show that portscan activity in their
    > logfiles. Basically our private hosts are no longer secure.
    >
    > Ex:
    >
    > So that our public /16 can access the net:
    >
    > nat (inside) 0 access-list NO-NAT
    > access-list NO-NAT; 1 elements
    > access-list NO-NAT line 1 permit ip 172.16.0.0 255.255.0.0 any
    >
    > For the class C 10.1.1.0 to be NAT'ed:
    >
    > nat (inside) 1 10.1.1.0 255.255.255.0
    > global (outside) 1 172.16.1.11-172.16.1.244 netmask 255.255.255.0
    >
    > Like I said; all you have to do from the Internet is portscan
    > 172.16.1.0/24, and any private host with translation entries gets
    > scanned. I want the private hosts to still be able to be NAT'ed and
    > get outside, but still have the security in place that unrequested
    > inbound activity to that private is not permitted.
    >
    > Also, our public network needs to have both outbound AND inbound
    > traffic allowed unless otherwise denied by our ACL policy. Here's
    > what I've thought *might* work, but I can't try it in production:
    >
    > nat (inside) 0 172.16.0.0 255.255.0.0
    > (to permit outbound access without NAT'ing)
    >
    > static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
    > (to permit inbound access to public space, though still protected by
    > the ACL).
    >
    > nat (inside) 1 10.1.1.0 255.255.255.0
    > global (outside) 1 172.16.1.11-172.16.1.244 netmask 255.255.255.0
    >
    > Does anyone know if this will work, or am I still gonna get the same
    > portscan activity on the private networks?
     
    hgreenblatt, Apr 11, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bob
    Replies:
    1
    Views:
    776
    Ivan OstreŇ°
    Jan 12, 2005
  2. Rob
    Replies:
    7
    Views:
    5,844
  3. daniel
    Replies:
    2
    Views:
    632
    Walter Roberson
    Mar 8, 2005
  4. Replies:
    0
    Views:
    1,378
  5. loyola
    Replies:
    3
    Views:
    1,589
    Cerebrus
    Nov 14, 2006
Loading...

Share This Page