Re: PAT traffic from Outside to Inside

Srinivasan Nagarajan · ‎11-21-2019

Hi Experts,

We've a requirement of rules to be allowed for penetration testing from Outside Public IP to scan all entire Internal networks on port 'any'.

Typically, we've seen PAT from Inside to Outside, is there any configuration to be done to accomplish this..?. if yes, could you please give overview on NAT and Access rules...

Thanks for your time and support

Source: 1.1.1.1 (For example)

Destination: 10.0.0.0/8 and 192.168.0.0/24

Port: Any

Rob Ingram · ‎11-21-2019

Hi,
Is this purely so the penetration testers don't need to come onsite to run this scan from the internal network? If so you are better of providing access over a AnyConnect Remote Access VPN. Otherwise you'd need a lot of static 1 to 1 NAT rules.

HTH

Srinivasan Nagarajan · ‎11-22-2019

Hi Thanks RJI for the reply. Since they are non-domain users, is there anything we need to configure extra @ firewall or AD level...?

Rob Ingram · ‎11-22-2019

Well if you provide them remote access, you would need to configure anyconnect remote access vpn on the ASA/FTD, example here. You could just create them an AD account to authenticate to the VPN.

HTH

lwilfredoflor · ‎11-21-2019

the requirement isnt too smart, if this is only for pentest, you could allow vpn access to those internal networks, if you dont have the license to deploy anyconnect, you could request trial ones from cisco.com/go/license.

regards