Looking at an ASA 8.2.1 with the following:
- No ACL (inbound or outbound) applied to the inside interface (no outbound ACL on the outside interface)
- IP reverse path verify not set on any interface
- Internal network (behind inside interface) is privately addressed
- NAT control is not enabled.
- The Dynamic NAT is set using an access list
global (outside) 1 interface
nat (inside) 1 access-list MYACL
access-list MYACL extended permit ip MY_Internal_Net MY_internal_Mask host W.X.Y.Z
My question is whether it is conceivable for someone on the internal network to set a source address that is a publicly routeable address and access the Internet in someway. My thinking being that:
- No ACL has been applied to the inside interface so traffic from higher security level to lower will be permitted; especially given that NAT control has not been enabled.
- Unicast RPF protection is not in place via the reverse path verify command so perhaps someone internally could set their machine to a publcily routeable address and make outbound requests and as long as the source address set is not in use, the traffic may just be routed out by the ASA and returned to it with the response traffic.
Is this possible or is it impossible in this setup for internal hosts to make any kind of connection with remote hosts or to even send traffic to any Internet hosts (without expecting a response)? Thanks.
