Re: Clarification on PIX 7 "no nat-control"

tbissett · ‎05-25-2005

So, I'm looking at the NAT-control command in PIX 7 and thought of a hypothetical situation:

1) Let's say I disable NAT control with the 'no nat-control' command. I have public IPs in my DMZ, so I don't want to have to mess with a static statement to allow traffic inbound to the DMZ. Only ACLs.

2) For this excersize, my inside network is 192.168.1.0/24. Since this is a private IP range, I still need to add a NAT/Global statement to make this range work. Like a good security guy, I use the NAT statement to only define 192.168.1.0 instead of the 'default' wildcard of '0 0'

3) Now, let's say our network gets hit with some sort of DoS worm, with my stations acting as the zombies, and this worm spoofs source addresses to something outside the 192.168.1.0 range. Our PCs are now sending traffic out the firewall with a source IP other than 192.168.1.0/24

If NAT control were enabled, I know these spoofed packets would stop at the firewall (this coming from first-hand experience) because there would be no translation group. Remember, my NAT statement was only for 192.168.1.0/24, and the spoofed packets have source IPs outside that range.

If NAT control were NOT enabled, am I correct that these worm DoS packets would indeed still be allowed through the firewall with the bogus source IPs, but just not NATed?

gfullage · ‎05-25-2005

Yep, correctamundo.

If you turn off nat-control, outbound packets flow without any other commands necessary (inbounds still need an access-list, just not a static as well). If there is a matching nat/global pair the outbound packets will be NAT'd, even with nat-control off.