NAT Security Question - Port ScanningStart by reading this:
http://www.attrition.org/~modify/texts/phrack/Phrack55/P55-10
1st Q: not intrinsically; it depends on the user application that has the
port open.
2nd Q: it's always better to use reflexive routing; but not attached to the
pool.
a) apply an extended ACL on the external interface (out)
this will create reflexive entries in a reflexive ACL
b) apply an extended ACL on the external interface (in)
this will use the reflexive entries
this blocks everything else except specific exceptions
c) apply an extended ACL on the internal interface (in)
this is where you block undesirable outbound traffic
d) the ACL on your NAT pool should only serve to
restrict NAT to IP addresses on your internal net
Reflexive ACL is part of the standard IOS since 11.something
----- Original Message -----
From: Scott Langendorf
When an inside local node makes a connection through the router to, say, a
website, and they are dynamically assigned a socket (inside global), can
this be used as an opening for intrusion.
When I set up the pool, should I use an extended or reflexive or other type
access list to limit inbound connections to only hosts that are in a
conversation that started on the clean side of the router?
Right now I have: ip nat inside source list 10 pool whatever overload
I'm new to this and I bought a good book on access lists, but it's not too
clear on what version of IOS is needed for what features.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
