Firewall Wizards mailing list archives
Re: Strange NAT entries on the PIX
From: Lisa Napier <lnapier () cisco com>
Date: Tue, 08 Apr 2003 16:39:58 -0800
Hi Joe,I've seen this pattern before, here's what to look for, and some ideas to help sort things out.
You appear to have a route around the firewall, so traffic is coming to the inside interface, translated to the outside interface address, and somehow getting routed back around to the inside interface. This symptom goes hand in hand with the the original problem you were trying to solve - NAT pool resource exhaustion.
Last time I saw this, the other factor they going had was some very clever policy based routing on the outside gateway router that was 'helping' to keep certain traffic passed back to the firewall network - via a route around the firewall.
As a workaround solution until you untangle the path the traffic is taking - limit your inside nat pool to the specific inside network address space -- it should *not* be something like "nat x 0.0.0.0 0.0.0.0" but should be more specific - and should definitely NOT include the outside addresses. That will stop your NAT pool resource exhaustion, but you'll still be getting traffic routed strangely, and will probably see traffic drops with 'no translation errors' or some similar message on the inside interface of your firewall.
You will definitely need to track down how the traffic is rolling back in from the outside, as that is a serious problem in a firewall installation. A firewall (any firewall ) can only work on traffic it actually SEES -- if there's a route around the firewall, your filtering is not happening on all traffic, and your firewall is not as effective as it should be.
Once you can track down the source and destination of the original connection attempt, you should be able to track the path it is taking that gets it routed in a loop around or bypassing the PIX and once you sort that out, you'll be in better shape.
Hope that helps, Lisa Napier Product Security Incident Response Team Cisco Systems http://www.cisco.com/warp/public/707/sec_incident_response.shtml PGP: A671 782D 2926 B489 F81A 3D5E B72F E407 B72C AF1F ID: 0xB72CAF1F, DH/DSS 2048/1024 At 03:00 PM 4/7/2003, user wrote:
Sorry about the HTML mail attempt. They won't let me turn off automatic HTML on our server. I think this client will avoid the problem. While researching a NAT pool exhaustion problem, I came across a number of strange NAT pairs. Essentially, addresses in the global pool are turning up on the local side, mapped to a different address in the outside pool. They are usually paired to the next address in sequence, but there are a few exceptions. Examples: Global x.x.25.180 Local x.x.25.179 Global x.x.25.181 Local x.x.25.180 Global x.x.25.182 Local x.x.25.181 etc. for a block of 10-20 addresses. I'm trying to get my head around what kind of protocol might be generating this pattern. I suspect it's a peer-peer file transfer pattern, since it seems to be primarily in our dorms network. Any clues would be appreciated. Joe Pollock Network Services The Evergreen State College _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Strange NAT entries on the PIX user (Apr 08)
- Re: Strange NAT entries on the PIX Lisa Napier (Apr 08)
- Re: Strange NAT entries on the PIX Dave Rinker (Apr 08)