Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
0
Helpful
3
Replies

Hiding Internal IP Addresses with a PIX 501

TorlysCisco
Level 1
Level 1

‎11-23-2004 12:59 PM - edited ‎02-20-2020 11:46 PM

Hi folks!

We're a small company running a PIX 501 device as our corporate firewall. We have a DMZ set up inside our firewall, with the bulk of our internal network being behind a Linksys router - we have a webserver sitting in the DMZ at the moment. Our PIX version is 6.3(1), and our PDM version is 3.0(1).

Our external public IP that we have programmed the PIX outside interface with is a subnetted C-class license, with a subnet mask of 255.255.255.248. The DMZ has the 'standard' 192.168.1.x range, and our internal IP addresses are 10.0.0.x addresses. We have NAT/PAT set up, nothing elaborate.

Up until now, I had thought that our internal IP addresses were not visible to the outside internet - I was fairly certain that anyone 'looking' at us would only see our public IP. However, recently I was on a website and was surprised when it displayed my INTERNAL IP address.

Is there an option somewhere in the PIX configuration to prevent this? I've taken a quick look at the PDM configuration screens, and am in the process of sifting the help documentation, but so far I haven't found the info I need. Any help would be greatly appreciated. :)

Regards,

Bert Van Vliet

Technical Support,

TORLYS Inc.

bert@torlys.com

0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎11-23-2004 03:51 PM

Te NAT/PAT on the 501 will change your original source IP address of 10.x.x.x to the PIX's outside interface address in the IP header as the packets go through it. This in effect hides your actual internal IP addresses from the outside world.

There are some web sites that run security checks on your PC's (the ShieldsUp test at grc.com for instance) by using specific Windows related tests to glean information from your computer. These tests can usually figure out the actual IP of your machine, because your machine will tell it to anyone that asks the right questions (as these web sites are designed to do). The IP address is included in NetBios packet or Windows networking packets, which the PIX will not inspect in that level and it will therefore not change the embedded IP address.

The fact that someone can glean your actual internal, NON-ROUTABLE IP address is not really an issue, the PIX will still only allow packets in that you've expressly permitted, and no-one can connect to your intenral hosts actual addresses over the Internet anyway.

0 Helpful

jmia
Level 7
Level 7

‎11-24-2004 12:52 AM

Picking up on what Glenn just explained, you can also issue : icmp deny any outside on you pix config and then goto www.grc.com and try out 'Shields Up' and check the result.

Jay

0 Helpful

scottmac
Level 10
Level 10

‎11-24-2004 07:53 AM

Many of these kind of site will download a small Java (or ActiveX) applet that will report your internal information.

The only way to really avoid that issue is to turn of Java and ActiveX controls in your browser's preferences (turn them on only when you need to).

Some software firewalls (on the PCs) will also screen Java/ActiveX applets and at least let you know that it came through (or was blocked).

FWIW

Scott

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card