Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Firewall Wizards: Re: static nat and tcp limits

Re: static nat and tcp limits

From: Vladislav Antolik <vladislav.antolik_at_gmail.com>
Date: Sun, 2 Mar 2008 21:11:02 +0100

Many thanks. Just one question. Is it true what I've written in my
question? That
there could be a problem with two same IP address - nated and real.

Vladislav

On Sat, Mar 1, 2008 at 11:54 PM, Fetch, Brandon <bfetch_at_tpg.com> wrote:
> Easiest way I've found to handle inside to DMZ traffic with the
> following presumption:
> Your security policy has no need for any of the "NAT inspections" the
> firewall does when it performs NAT across interfaces
>
> Easiest way to do this is to define a nonat group that includes your
> inside & DMZ networks both directions.
>
> And in your case it would appear to be a simple nonat ACL of:
> Permit ip 172.16.0.0 255.240.0.0 172.16.0.0 255.240.0.0
>
> Then define your appropriate "nat (1)" statements for the appropriate
> interfaces (inside & DMZ).
>
> This will make the firewall NOT perform NAT when either inside talks to
> DMZ or DMZ talks to inside.
>
> The added side benefit of this is it makes writing 'secure' (haha - I've
> seen some BAD ones) ACLs that allow traffic from the DMZ into the
> inside. Since there is no NAT happening you don't have to worry about
> trying to figure out what inside address a DMZ system needs to be
> configured to allowed to reach.
>
> You're only dealing with RFC1918 address when creating/managing your
> 'interior' ACLs to me means easier firewall management.
>
> HTH,
> Brandon
>
>
>
> -----Original Message-----
> From: firewall-wizards-bounces_at_listserv.icsalabs.com
> [mailto:firewall-wizards-bounces_at_listserv.icsalabs.com] On Behalf Of
> Vladislav Antolik
> Sent: Friday, February 29, 2008 5:27 AM
> To: firewall-wizards_at_listserv.icsalabs.com
> Subject: [fw-wiz] static nat and tcp limits
>
> Hello,
>
> I'm using Cisco Pix 515E, 8.0(3).
> I have two networks - inside and dmz. Inside has sec. level 100, dmz
> 50. To communicate hosts from inside to dmz I made
> static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 tcp 0 10.
> I think that Pix during NAT vindicate NAT-ed IP address on destination
> interface, so I had on these segments two devices with the same IP
> address.
> Is it true? What is the best solution; disable nat-control and then
> disable static record?
> Many thanks,
> Vladislav
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> This message is intended only for the person(s) to which it is addressed
> and may contain privileged, confidential and/or insider information.
> If you have received this communication in error, please notify us
> immediately by replying to the message and deleting it from your computer.
> Any disclosure, copying, distribution, or the taking of any action concerning
> the contents of this message and any attachment(s) by anyone other
> than the named recipient(s) is strictly prohibited.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Mar 02 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]