Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
530
Views
0
Helpful
4
Replies

Spoofing when no ACL / restricted Dynamic NAT

Private Private
Level 1
Level 1

‎02-18-2014 10:18 AM - edited ‎03-11-2019 08:47 PM

     Looking at an ASA 8.2.1 with the following:

- No ACL (inbound or outbound) applied to the inside interface (no outbound ACL on the outside interface)

- IP reverse path verify not set on any interface

- Internal network (behind inside interface) is privately addressed

- NAT control is not enabled.

- The Dynamic NAT is set using an access list

    global (outside) 1 interface

    nat (inside) 1 access-list MYACL

    access-list MYACL extended permit ip MY_Internal_Net MY_internal_Mask host W.X.Y.Z

My question is whether it is conceivable for someone on the internal network to set a source address that is a publicly routeable address and access the Internet in someway. My thinking being that:

- No ACL has been applied to the inside interface so traffic from higher security level to lower will be permitted; especially given that NAT control has not been enabled.

- Unicast RPF protection is not in place via the reverse path verify command so perhaps someone internally could set their machine to a publcily routeable address and make outbound requests and as long as the source address set is not in use, the traffic may just be routed out by the ASA and returned to it with the response traffic.

Is this possible or is it impossible in this setup for internal hosts to make any kind of connection with remote hosts or to even send traffic to any Internet hosts (without expecting a response)?  Thanks.

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Private Private
Level 1
Level 1

‎02-19-2014 07:12 AM

I've not been able to track down a real answer for this yet. Any thoughts on this would be appreciated. Thanks.

0 Helpful

Private Private
Level 1
Level 1
In response to Private Private

‎02-20-2014 05:49 AM

I am thinking that the question boils down to this: if someone were to set themselves an external public IP not in use on an internal device and were to send out requests, would the response from the receiving device find a route back to the request.

0 Helpful

Marius Gunnerud
VIP
VIP

‎02-20-2014 06:24 AM

Theoretically the ASA, in this case, would just forward the packet as any other normal packet.  But the user would have to manipulate the packet a little in order for th PC to send the packet to a default gateway that is not on the same subnet as its own IP.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

James Leinweber
Level 4
Level 4
In response to Marius Gunnerud

‎02-20-2014 01:41 PM

Short answer: communication no, sending yes. So I would be in favor of tightening the firewall configuration.

Getting bidirectional communications is not likely in this case because that would depend on the willingness of the upstream routers to send the return traffic back to the non-subnet address; this isn't likely unless you are an autonomous system who can inject BGP routes for darknet R&D.  Security researches publish papers using that tactic.   However, lack of actual ACL rules or RPF is just begging to let compromised hosts emit DDOS traffic with spoofed source addresses, and this configuration would just slide that stuff right out.

-- Jim Leinweber, WI State Lab of Hygiene

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card