Using both public and private networks via NAT 0, with security!

Discussion in 'Cisco' started by Paul C., Apr 7, 2004.

  1. Paul C.

    Paul C. Guest

    I've been banging my head on the wall in regards to this. Here's our
    basic network setup:

    Internet --> Edge router --> PIX public int --> PIX private int -->
    Internal router

    The internal router is running a large number of vlans, in both our
    public Internet routable address space and RFC 1918 space. For ease
    of use, lets call our private space and pretend our public
    space is

    We're needing to non-translate IP's in our public block (as well as
    permit inbound access to them from the outside, filtered only by
    ACL's) and NAT the private IP's using pools of different class C's of
    our public space.

    This basically works using NAT 0, but the problem is that it creates
    a security issue; as long as the private hosts have translation table
    entries, outside entities can portscan our public /16, and the inside
    private hosts show that portscan activity in their
    logfiles. Basically our private hosts are no longer secure.


    So that our public /16 can access the net:

    nat (inside) 0 access-list NO-NAT
    access-list NO-NAT; 1 elements
    access-list NO-NAT line 1 permit ip any

    For the class C to be NAT'ed:

    nat (inside) 1
    global (outside) 1 netmask

    Like I said; all you have to do from the Internet is portscan, and any private host with translation entries gets
    scanned. I want the private hosts to still be able to be NAT'ed and
    get outside, but still have the security in place that unrequested
    inbound activity to that private is not permitted.

    Also, our public network needs to have both outbound AND inbound
    traffic allowed unless otherwise denied by our ACL policy. Here's
    what I've thought *might* work, but I can't try it in production:

    nat (inside) 0
    (to permit outbound access without NAT'ing)

    static (inside,outside) netmask
    (to permit inbound access to public space, though still protected by
    the ACL).

    nat (inside) 1
    global (outside) 1 netmask

    Does anyone know if this will work, or am I still gonna get the same
    portscan activity on the private networks?
    Paul C., Apr 7, 2004
    1. Advertisements

  2. Paul C.

    hgreenblatt Guest

    I may not get this quite right, but I think it will get you started. The
    nat0 sounds like the problem. Going thru the firewall all addresses have to
    be translate (even to themselves hence your Nat 0), but you could also do
    something like

    static (inside,outside) netmask
    actually I hate when books use private addresses(RFC1918) to describe the
    public so lets say your network is really 24.90/16 (pardons to RoadRunner)
    static (inside,outside) netmask

    The way the Pix works is that the static has higher priority than nat (but
    not nat0). Using the static above , and taking out the nat 0, your
    access-list should work fine, and the only ports that the outside can see
    will be those that you allow. The firewall is statefull, so starting a
    conversation from inside is fine.

    If anyone wants to correct me please do, I have only been doing this a few

    hgreenblatt, Apr 11, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.