Using both public and private networks via NAT 0, with security!

I've been banging my head on the wall in regards to this. Here's our
basic network setup:

Internet --> Edge router --> PIX public int --> PIX private int -->
Internal router

The internal router is running a large number of vlans, in both our
public Internet routable address space and RFC 1918 space. For ease
of use, lets call our private space 10.1.0.0/16 and pretend our public
space is 172.16.0.0/16.

We're needing to non-translate IP's in our public block (as well as
permit inbound access to them from the outside, filtered only by
ACL's) and NAT the private IP's using pools of different class C's of
our public space.

This basically works using NAT 0, but the problem is that it creates
a security issue; as long as the private hosts have translation table
entries, outside entities can portscan our public /16, and the inside
private 10.1.0.0/16 hosts show that portscan activity in their
logfiles. Basically our private hosts are no longer secure.

Ex:

So that our public /16 can access the net:

nat (inside) 0 access-list NO-NAT
access-list NO-NAT; 1 elements
access-list NO-NAT line 1 permit ip 172.16.0.0 255.255.0.0 any

For the class C 10.1.1.0 to be NAT'ed:

nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 1 172.16.1.11-172.16.1.244 netmask 255.255.255.0

Like I said; all you have to do from the Internet is portscan
172.16.1.0/24, and any private host with translation entries gets
scanned. I want the private hosts to still be able to be NAT'ed and
get outside, but still have the security in place that unrequested
inbound activity to that private is not permitted.

Also, our public network needs to have both outbound AND inbound
traffic allowed unless otherwise denied by our ACL policy. Here's
what I've thought *might* work, but I can't try it in production:

nat (inside) 0 172.16.0.0 255.255.0.0
(to permit outbound access without NAT'ing)

static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
(to permit inbound access to public space, though still protected by
the ACL).

nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 1 172.16.1.11-172.16.1.244 netmask 255.255.255.0

Does anyone know if this will work, or am I still gonna get the same
portscan activity on the private networks?

 

Paul,
I may not get this quite right, but I think it will get you started. The
nat0 sounds like the problem. Going thru the firewall all addresses have to
be translate (even to themselves hence your Nat 0), but you could also do
something like

static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
actually I hate when books use private addresses(RFC1918) to describe the
public so lets say your network is really 24.90/16 (pardons to RoadRunner)
static (inside,outside) 24.90.0.0 24.90.0.0 netmask 255.255.0.0

The way the Pix works is that the static has higher priority than nat (but
not nat0). Using the static above , and taking out the nat 0, your
access-list should work fine, and the only ports that the outside can see
will be those that you allow. The firewall is statefull, so starting a
conversation from inside is fine.

If anyone wants to correct me please do, I have only been doing this a few
months.

Howie