cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3071
Views
5
Helpful
4
Replies

PAT traffic from Outside to Inside

Hi Experts,

We've a requirement of rules to be allowed for penetration testing from Outside Public IP to scan all entire Internal networks on port 'any'.

Typically, we've seen PAT from Inside to Outside, is there any configuration  to be done to accomplish this..?. if yes, could you please give overview on NAT and Access rules... 

Thanks for your time and support

 

Source: 1.1.1.1 (For example)

Destination: 10.0.0.0/8 and 192.168.0.0/24

Port: Any

 

4 Replies 4

Hi,
Is this purely so the penetration testers don't need to come onsite to run this scan from the internal network? If so you are better of providing access over a AnyConnect Remote Access VPN. Otherwise you'd need a lot of static 1 to 1 NAT rules.

HTH

Hi Thanks RJI for the reply. Since they are non-domain users, is there anything we need to configure extra @ firewall or AD level...?

Well if you provide them remote access, you would need to configure anyconnect remote access vpn on the ASA/FTD, example here. You could just create them an AD account to authenticate to the VPN.

 

HTH

lwilfredoflor
Level 1
Level 1

the requirement isnt too smart, if this is only for pentest, you could allow vpn access to those internal networks, if you dont have the license to deploy anyconnect, you could request trial ones from cisco.com/go/license. 

 

regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: