Search This Blog

Thursday, November 15, 2007

firewall-wizards Digest, Vol 19, Issue 11

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. static nat for inside returning traffic (Shahin Ansari)
2. Re: NAT order help (sivakumar)
3. Firewalls that generate new packets.. (Kelly Robinson)
4. Re: NAT order help (kevin horvath)


----------------------------------------------------------------------

Message: 1
Date: Tue, 13 Nov 2007 15:45:25 -0800 (PST)
From: Shahin Ansari <zohal52@yahoo.com>
Subject: [fw-wiz] static nat for inside returning traffic
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <932239.12415.qm@web30709.mail.mud.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"

Greetings-
I come across an issue which I can not explain and need your help please. I was trying to provide access to an inside host from outside. I put in a 1:1 static nat for the outside host, made sure there is a route for both hosts, and updated the outside interface access-list. But there was no connection. I also did not see any message in the logs. Just fyi, this was pix platform running 6.3(x). What seems to have fixed the issue was an static for the inside host. Which I did not think I need since there is a default nat statement on my inside interface translating everything to an global address. Any thoughts?
Sean


---------------------------------
Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071113/a50d90a5/attachment-0001.html


------------------------------

Message: 2
Date: Wed, 14 Nov 2007 05:36:08 -0800 (PST)
From: sivakumar <siva_itech@yahoo.com>
Subject: Re: [fw-wiz] NAT order help
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <13746694.post@talk.nabble.com>
Content-Type: text/plain; charset=us-ascii


Hi,

Thanks for your reply. Is my rule for Static PAT right or i need to
specify TCP/UDP ports to do a PAT? Is it possible to translate multiple ip's
from inside to a single ip outside using static. Please let me know since i
couldn't find in Cisco Docs saying any Static PAT like that rather they do
perform redirection on ports.


kevin horvath wrote:
>
> to clarify,
>
> Traffic initiated from the inside (10 net) will map to itself
> (identity nat), unless it is tcp traffic destined for 1.1.1.1 then it
> will map to 1.1.1.2.
>
> Traffic initiated from the outside to the inside will not matter since
> this is where there is no overlapping as the above scenario. Here
> traffic destined for 10.x will be translated to itself. The policy
> nat in this scenario does not allow traffic initiated from a lower
> security interface to a higher security interface as it can only be
> done via nat exemption, identity nat, or static nat/pat. I think this
> is where the confusion was. Only local traffic can be translated with
> Policy NAT (thanks for catching my typo above) not global.
>
> hope this clarifies things.
>
> Kevin
>
>> >
>> > >
>> > > On 11/6/07, sivakumar <siva_itech@yahoo.com> wrote:
>> > > >
>> > > > Hi,
>> > > >
>> > > > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
>> > > >
>> > > > static(inside,ouside) 1.1.1.2 access-list rule1 0 0
>> > > > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
>> > > >
>> > > > Please tell me which statement will take precedence - policy NAT ot
>> Static
>> > > > NAT..
>> > > >
>> > > > --
>> > > > View this message in context:
>> http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213
>> > > > Sent from the Firewall Wizards mailing list archive at Nabble.com.
>> > > >
>> > > > _______________________________________________
>> > > > firewall-wizards mailing list
>> > > > firewall-wizards@listserv.icsalabs.com
>> > > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>> > > >
>> > >
>> > >
>> > > --
>> > > Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
>> > >

http://www.algosec.com
>> > > ******* Firewall Management Made Smarter ******
>> > > _______________________________________________
>> > > firewall-wizards mailing list
>> > > firewall-wizards@listserv.icsalabs.com
>> > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>> > >
>> > _______________________________________________
>> > firewall-wizards mailing list
>> > firewall-wizards@listserv.icsalabs.com
>> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>> >
>>
>>
>> --
>> Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
>>

http://www.algosec.com
>> ******* Firewall Management Made Smarter ******
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>

--
View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13746694
Sent from the Firewall Wizards mailing list archive at Nabble.com.

------------------------------

Message: 3
Date: Wed, 14 Nov 2007 14:58:37 +1100
From: "Kelly Robinson" <caliana1989@gmail.com>
Subject: [fw-wiz] Firewalls that generate new packets..
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<75fc8fb30711131958q2cd999c3s287fa99d166caf2@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Some firewalls, after receiving a packet, generate a new packet and populate
it with data from the original, rather than forwarding the same packet that
was received. What are the advantages and disadvantages of this approach?
And does anyone have any examples of any firewalls that do this on the
market?

Thanks

- k
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071114/ffd2bf09/attachment-0001.html


------------------------------

Message: 4
Date: Wed, 14 Nov 2007 15:16:24 -0500
From: "kevin horvath" <kevin.horvath@gmail.com>
Subject: Re: [fw-wiz] NAT order help
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5c41be6e0711141216o75588829u2fd4537d42dad04e@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

If your intention is just to do regular PAT where you have a block of
internal addresses all translating out to one IP then all you have to
do is
# nat (inside) 1 10.0.0.0 255.0.0.0
# global (outside) 1 1.1.2

-Now if you do this then it will not allow traffic initiated from your
outside interface (lower security) to your inside interface (higher
security). If you need this for example you are hosting a web server
that you want people on the internet to access then you will have to
do a static PAT (if you only have one IP to traslate that is).
Otherwise you could just to a regular static NAT.


On Nov 14, 2007 8:36 AM, sivakumar <siva_itech@yahoo.com> wrote:
>
> Hi,
>
> Thanks for your reply. Is my rule for Static PAT right or i need to
> specify TCP/UDP ports to do a PAT? Is it possible to translate multiple ip's
> from inside to a single ip outside using static. Please let me know since i
> couldn't find in Cisco Docs saying any Static PAT like that rather they do
> perform redirection on ports.
>
>
>
> kevin horvath wrote:
> >
> > to clarify,
> >
> > Traffic initiated from the inside (10 net) will map to itself
> > (identity nat), unless it is tcp traffic destined for 1.1.1.1 then it
> > will map to 1.1.1.2.
> >
> > Traffic initiated from the outside to the inside will not matter since
> > this is where there is no overlapping as the above scenario. Here
> > traffic destined for 10.x will be translated to itself. The policy
> > nat in this scenario does not allow traffic initiated from a lower
> > security interface to a higher security interface as it can only be
> > done via nat exemption, identity nat, or static nat/pat. I think this
> > is where the confusion was. Only local traffic can be translated with
> > Policy NAT (thanks for catching my typo above) not global.
> >
> > hope this clarifies things.
> >
> > Kevin
> >
> >> >
> >> > >
> >> > > On 11/6/07, sivakumar <siva_itech@yahoo.com> wrote:
> >> > > >
> >> > > > Hi,
> >> > > >
> >> > > > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
> >> > > >
> >> > > > static(inside,ouside) 1.1.1.2 access-list rule1 0 0
> >> > > > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
> >> > > >
> >> > > > Please tell me which statement will take precedence - policy NAT ot
> >> Static
> >> > > > NAT..
> >> > > >
> >> > > > --
> >> > > > View this message in context:
> >> http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213
> >> > > > Sent from the Firewall Wizards mailing list archive at Nabble.com.
> >> > > >
> >> > > > _______________________________________________
> >> > > > firewall-wizards mailing list
> >> > > > firewall-wizards@listserv.icsalabs.com
> >> > > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >> > > >
> >> > >
> >> > >
> >> > > --
> >> > > Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
> >> > >

http://www.algosec.com
> >> > > ******* Firewall Management Made Smarter ******
> >> > > _______________________________________________
> >> > > firewall-wizards mailing list
> >> > > firewall-wizards@listserv.icsalabs.com
> >> > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >> > >
> >> > _______________________________________________
> >> > firewall-wizards mailing list
> >> > firewall-wizards@listserv.icsalabs.com
> >> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >> >
> >>
> >>
> >> --
> >> Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
> >>

http://www.algosec.com
> >> ******* Firewall Management Made Smarter ******
> >> _______________________________________________
> >> firewall-wizards mailing list
> >> firewall-wizards@listserv.icsalabs.com
> >> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >>
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> >
>
> --
> View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13746694
>
> Sent from the Firewall Wizards mailing list archive at Nabble.com.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 19, Issue 11
************************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)