topic Re: disabling nat after the pix in Network Security

disabling nat after the pix

thaier1978 — Fri, 21 Feb 2020 08:30:55 GMT

dear sir,

I want to prevent users from connecting routers after my 525 pix firewall,through disabling nat for them or other way?

I appreciate your help in advanced.

thank you,

thaier

Re: disabling nat after the pix

pradeepde — Mon, 14 Nov 2005 22:08:55 GMT

If you have a public address on the inside network, and you want the inside hosts to go out to the outside without translation, you can disable NAT. You would also need to change the static command.

nat (inside) 0 175.1.1.0 255.255.255.0

If you are using ACLs in PIX software versions 5.0.1 and later, use the following commands.

access-list 103 permit ip 175.1.1.0 255.255.255.0 any

nat (inside) 0 access-list 103

This command disables NAT for the 175.1.1.0 network. The static command for the web server would be changed as shown below.

static (inside, outside) 175.1.1.254 175.1.1.254

The following command defines the conduit for the web server.

conduit permit tcp host 175.1.1.254 eq www any

If you are using ACLs in PIX software versions 5.0.1 and later, use the following commannds.

access-list 102 permit tcp any host 175.1.1.254 eq www

access-group 102 in interface outside

Note that the difference between using nat 0 with specifying network/mask as opposed to using an ACL that uses a network/mask that permits initiation of connections from inside only. The use of ACLs permits initiation of connections by inbound or outbound traffic. The PIX interfaces should be in different subnets to avoid reachability issues.

Re: disabling nat after the pix

thaier1978 — Tue, 15 Nov 2005 05:55:45 GMT

Dear pradeepde

I know how disable the NAT on my pix, I just want to disable the NAT after the pix and keep my pix doning NATing.

My problem is that some of my inside users are using routers to establish asmall network inside my network, I want to prevent that with out affecting the other users that are using DHCP to gane their IPs and NATed through the PIX to the outside????

I appreciate your kind reply...

Thank you,

Thaier

Re: disabling nat after the pix

brad — Tue, 15 Nov 2005 07:54:56 GMT

There are two ways of looking at this.

Where your LAN is 10.1.1.0/24

Where your WAN is 99.99.99.0/24

Where the Routers WAN is 10.1.1.0/24

Where the Routers LAN is 10.1.2.0/24

First perspective:

If you are working with simple nat configurations on the firewall such as:

nat (inside) 99 10.1.1.0 255.255.255.0

global (outside) 99 interface

In this example, users would not be able to configure a router behind your firewall as only the inside LAN addresses are NATed by the firewall. The 10.1.2.0/24 subnet is not valid for NAT translations.

Second Perspective:

If the router has NAT configured and translates address from 10.1.2.0/24 to 10.1.1.x and then forwards them to the firewall for a second translation (double NAT), then the connection will succeed. You can't really do much about this without somehow identifying valid source addresses or sessions.

Consider configuring all of the switch ports to only allow a single mac address? - Presumably the router would be the first and all other connections would fail.

Brad

Re: disabling nat after the pix

thaier1978 — Tue, 15 Nov 2005 11:40:51 GMT

how can I configure the switch ports to only allow a single mac address, Bythe way I have Cisco C2950 switches???

Thank you,

Thaier

Re: disabling nat after the pix

brad — Tue, 15 Nov 2005 16:46:09 GMT

Hi Thaier

This article discusses port security on the 2950 switch.

http://www.cisco.com/en/US/partner/products/hw/switches/ps4916/products_configuration_guide_chapter09186a008017e531.html#1038501

Although, on second thought - All of the source MAC addresses will be the router anyway. MAC src/dst addresses are always the forwarding and receiving hosts which in your case is the unwanted router and your firewall.

You could preconfigure every port with the proper mac address, but that would quickly become far to complex and administratively intense.

Sorry - I can't think of an easy way to do this.

Brad