Re: Strange NAT entries on the PIX

[Lisa Napier <lnapier () cisco com>]

Hi Joe,

I've seen this pattern before, here's what to look for, and some ideas to 
help sort things out.

You appear to have a route around the firewall, so traffic is coming to the 
inside interface, translated to the outside interface address, and somehow 
getting routed back around to the inside interface.  This symptom goes hand 
in hand with the the original problem you were trying to solve - NAT pool 
resource exhaustion.

Last time I saw this, the other factor they going had was some very clever 
policy based routing on the outside gateway router that was 'helping' to 
keep certain traffic passed back to the firewall network - via a route 
around the firewall.

As a workaround solution until you untangle the path the traffic is taking 
- limit your inside nat pool to the specific inside network address space 
-- it should *not* be something like "nat x 0.0.0.0 0.0.0.0" but should be 
more specific - and should definitely NOT include the outside 
addresses.  That will stop your NAT pool resource exhaustion, but you'll 
still be getting traffic routed strangely, and will probably see traffic 
drops with 'no translation errors' or some similar message on the inside 
interface of your firewall.

You will definitely need to track down how the traffic is rolling back in 
from the outside, as that is a serious problem in a firewall 
installation.  A firewall (any firewall ) can only work on traffic it 
actually SEES -- if there's a route around the firewall, your filtering is 
not happening on all traffic, and your firewall is not as effective as it 
should be.

Once you can track down the source and destination of the original 
connection attempt, you should be able to track the path it is taking that 
gets it routed in a loop around or bypassing the PIX and once you sort that 
out, you'll be in better shape.

Hope that helps,

Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml

PGP:  A671 782D 2926 B489 F81A 3D5E B72F E407 B72C AF1F
ID: 0xB72CAF1F, DH/DSS 2048/1024

At 03:00 PM 4/7/2003, user wrote:
> Sorry about the HTML mail attempt.  They won't let me turn off automatic
> HTML on our server.  I think this client will avoid the problem.
>
>
> While researching a NAT pool exhaustion problem, I came across a number
> of strange NAT pairs.  Essentially, addresses in the global pool are
> turning up on the local side, mapped to a different address in the
> outside pool.
>
> They are usually paired to the next address in sequence, but there are a
> few exceptions.
>
> Examples:
>
> Global x.x.25.180  Local x.x.25.179
> Global x.x.25.181  Local x.x.25.180
> Global x.x.25.182  Local x.x.25.181
>
> etc. for a block of 10-20 addresses.
>
> I'm trying to get my head around what kind of protocol might be
> generating this pattern.  I suspect it's a peer-peer file transfer
> pattern, since it seems to be primarily in our dorms network.
>
> Any clues would be appreciated.
>
> Joe Pollock
> Network Services
> The Evergreen State College
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards