cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2171
Views
0
Helpful
4
Replies

Firepower PAT bug ?

rmathieson7
Level 1
Level 1

Hi,

I noticed that port scans had been querying all the internal hosts with bidirectional NATs defined which is obviously expected.  But I also noticed that odd internal hosts that shouldn't be routable were also in scope on occasion.  Further investigation shows that this is happening when the port scan targets our default internet breakout PAT address which is obviously a dynamic unidirectional PAT.  The packet I'm seeing is nothing out of the ordinary, just a syn with a sequence number of 0.

 

If I use packet tracer to try to replicate the traffic it correctly drops it as there isn't anything in the state table to match.  Has anyone else seen this before ?  I certainly don't think it's expected behavior but can't seem to find any mention of a bug that would explain what I'm seeing.

1 Accepted Solution

Accepted Solutions

If there is an existing xlate entry for the source address a.b.c.d created for an outbound session (from inside to ouside) and there is another inbound connection (outside to inside) from a different source to the mapped IP address and port of a.b.c.d, then that existing xlate entry will be used for a translation, no matter what the new source IP address is. For this new connection UN-NAT will be performed using existing xlate and then access-list check will be performed. 

 

NAT is not a security technology and is not enforcing any security checks.

View solution in original post

4 Replies 4