|
Firewall Wizards
mailing list archives
Re: Strange NAT entries on the PIX
From: Lisa Napier <lnapier () cisco com>
Date: Tue, 08 Apr 2003 16:39:58 -0800
Hi Joe,
I've seen this pattern before, here's what to look for, and some ideas to
help sort things out.
You appear to have a route around the firewall, so traffic is coming to the
inside interface, translated to the outside interface address, and somehow
getting routed back around to the inside interface. This symptom goes hand
in hand with the the original problem you were trying to solve - NAT pool
resource exhaustion.
Last time I saw this, the other factor they going had was some very clever
policy based routing on the outside gateway router that was 'helping' to
keep certain traffic passed back to the firewall network - via a route
around the firewall.
As a workaround solution until you untangle the path the traffic is taking
- limit your inside nat pool to the specific inside network address space
-- it should *not* be something like "nat x 0.0.0.0 0.0.0.0" but should be
more specific - and should definitely NOT include the outside
addresses. That will stop your NAT pool resource exhaustion, but you'll
still be getting traffic routed strangely, and will probably see traffic
drops with 'no translation errors' or some similar message on the inside
interface of your firewall.
You will definitely need to track down how the traffic is rolling back in
from the outside, as that is a serious problem in a firewall
installation. A firewall (any firewall ) can only work on traffic it
actually SEES -- if there's a route around the firewall, your filtering is
not happening on all traffic, and your firewall is not as effective as it
should be.
Once you can track down the source and destination of the original
connection attempt, you should be able to track the path it is taking that
gets it routed in a loop around or bypassing the PIX and once you sort that
out, you'll be in better shape.
Hope that helps,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
PGP: A671 782D 2926 B489 F81A 3D5E B72F E407 B72C AF1F
ID: 0xB72CAF1F, DH/DSS 2048/1024
At 03:00 PM 4/7/2003, user wrote:
Sorry about the HTML mail attempt. They won't let me turn off automatic
HTML on our server. I think this client will avoid the problem.
While researching a NAT pool exhaustion problem, I came across a number
of strange NAT pairs. Essentially, addresses in the global pool are
turning up on the local side, mapped to a different address in the
outside pool.
They are usually paired to the next address in sequence, but there are a
few exceptions.
Examples:
Global x.x.25.180 Local x.x.25.179
Global x.x.25.181 Local x.x.25.180
Global x.x.25.182 Local x.x.25.181
etc. for a block of 10-20 addresses.
I'm trying to get my head around what kind of protocol might be
generating this pattern. I suspect it's a peer-peer file transfer
pattern, since it seems to be primarily in our dorms network.
Any clues would be appreciated.
Joe Pollock
Network Services
The Evergreen State College
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
|
Intro
