Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: FWSM NAT translation problem

from [Ching, Peter] Network Security [Permanent Link]
Subject: RE: FWSM NAT translation problem
Date: Wed, 25 Aug 2004 21:39:09 -0500 
Shekar,
 
Not sure what other 'nat' statements you have for the UDP traffic but I assume 
it's something like this
(for the PAT to 10.100.100.48):
 
nat (inside) 2 10.100.100.0 255.255.255.0
global (outside) 2 10.100.100.48 netmask 255.255.255.0
 
And your static is for the inbound tcp 7864. Instead, you might consider using 
access-list for the PAT
to specify exclusions of icmp and tcp port 7864 for .45 & .46:
 
access-list 101 deny tcp 10.100.100.45 eq 7864 any
access-list 101 deny tcp 10.100.100.46 eq 7864 any
access-list 101 deny icmp 10.100.100.45 eq echo-reply any
access-list 101 deny icmp 10.100.100.46 eq echo-reply any
access-list 101 permit ip 10.100.100.0 0.0.0.255 any  <--- specify which will 
range will use the PAT on 10.100.100.48
nat (inside) 2 access-list 101
global (outside) 2 10.100.100.48 netmask 255.255.255.0
 
Of course, use the other 7 lines of config in previous email to NAT the tcp and 
icmp to .45 and .46
 
 
Anyone have a more elegant approach?
 
 
Regards,
Peter
 
-----Original Message-----
From: Shekar Reddy [mailto:shekar.reddy@propel.com]
Sent: Thursday, August 26, 2004 11:49 AM
To: Ching, Peter
Cc: firewalls@securityfocus.com
Subject: RE: FWSM NAT translation problem 


Peter, 
 
The reason why I had extended NAT (static) statement was all the TCP traffic 
coming into our network should use those specific external addresses 
(10.100.100.45 and 10.100.100.46) and all the UDP traffic which are initiated 
from the same servers (10.15.0.45, 10.45.0.46 - internal mapped addresses) 
should leave our network as a separate single IP address (10.100.100.48 - PAT). 
 
In addition to the above requirement, users should be able to ping 
10.100.100.45 and 10.100.100.46 (external addresses). 
 
Hope this gives the complete picture. 
 
Thanks,
Shekar 
 
-----Original Message-----
From: Ching, Peter [mailto:PChing@dow.com]
Sent: Wednesday, August 25, 2004 5:59 PM
To: Shekar Reddy
Subject: RE: FWSM NAT translation problem 
 
Shekar,
 
The static command lets users access specifically identified hosts on a single 
interface. The access-list command identifies the port or ports through which 
access is permitted and the access-group command binds the access-list command 
statement group to an interface.
 
Try this in place of your configs:
 
static (inside, outside) 10.100.100.45 10.15.0.45 netmask 255.255.255.255
static (inside, outside) 10.100.100.46 10.15.0.46 netmask 255.255.255.255
access-list acl_out permit tcp any 10.15.0.45 eq 7864
access-list acl_out permit tcp any 10.15.0.46 eq 7864
access-list acl_out permit icmp any 10.15.0.45 eq echo
access-list acl_out permit icmp any 10.15.0.46 eq echo
 
access-group acl_out in interface outside
 
This specifically opens up tcp port 7864 and icmp traffic sourced from the 
outside.
It's recommended to allow icmp only for testing purposes. If you want to reduce 
the
source of the pings, modify the 'any' parameter for the icmp acl statements.
 
Please let me know how you go.
 
 
Regards,
Peter
 
 
-----Original Message-----
From: Shekar Reddy [mailto:shekar.reddy@propel.com]
Sent: Wednesday, August 25, 2004 7:53 AM
To: firewalls@securityfocus.com
Subject: FWSM NAT translation problem 
Hi Group, 
I'm using FWSM 1.1(3) version and I have a question regarding FWSM NAT 
translation. 
I have used extended translation as shown below. 
static (inside,outside) tcp 10.100.100.45 7864 10.15.0.45 7864 netmask 
255.255.255.255
static (inside,outside) tcp 10.100.100.46 7864 10.15.0.46 7864 netmask 
255.255.255.255
Since these external IP addresses (10.100.100.45 and 46) are mapped to real 
servers 10.15.0.45 and 46 with only 7864 ports, it is not mapping to anything 
else for example ICMP. 
PROBLEM: I'm unable to ping 10.100.100.45 and 10.100.100.46 from outside world. 
Show xlate shows below output on FWSM:
PAT Global 10.100.100.45(7864) Local 10.15.0.45(7864)
PAT Global 10.100.100.46(7864) Local 10.15.0.46(7864)
I have the following access-list statements:
access-list acl_out permit icmp any host 10.100.100.45 
access-list acl_out permit icmp any host 10.100.100.46
 
FYI: If I replace the above static statements with the following simple static 
statements, ICMP reply will work fine from outside world. 
static (inside,outside) 10.100.100.45 10.15.0.45 netmask 255.255.255.255
static (inside,outside) 10.100.100.46 10.15.0.46 netmask 255.255.255.255
 
Please let me know how to fix this ICMP problem when I have the following 
static statements.
static (inside,outside) tcp 10.100.100.45 7864 10.15.0.45 7864 netmask 
255.255.255.255
static (inside,outside) tcp 10.100.100.46 7864 10.15.0.46 7864 netmask 
255.255.255.255
 
I should be able to ping 10.100.100.45 and .46 from outside world. 
NOTE: IP addresses are fictitious 
Thanks in advance.
Shekar
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: FWSM NAT translation problem, Shekar Reddy
Next by Date:  Re: Better way to do VLAN in Linux, Robert Hajime Lanning
Previous by Thread:  RE: FWSM NAT translation problem, Shekar Reddy
Next by Thread:  x.25 link running HDLC does not need firewall?, K Shen
Indexes:  [Date] [Thread] [Top] [All Lists]