On Wed, May 09, 2001 at 10:10:49AM +1000, Ben Nagy wrote:
> > -----Original Message-----
> > From: Kelly, Patrick [mailto:[EMAIL PROTECTED]]
> > I have seen the scenario where clients insist on doing NAT at the perimeter
> > router. This leads to the configuration of the firewall to be configured
> > with private IP addresses on 'external' and 'internal' interfaces.
>
> That's possibly sub-optimal, but not hideous. It will cause problems if you
> want to do IPSec VPN stuff in the future, though.
>
> > The end result is no way to log or monitor from the firewall any
> > access attempts from public ip address sources.
>
> I don't understand why.
>
> > The client insists that this
> > is due to the
> > fact that no one can get through the NAT of the router.
>
> Sadly, I don't know of any routers that filter inbound packets for the
> private IP range that they are protecting. If the attacker can somehow get a
> packet for your private network routed as far as your NAT router it will
> probably go straight through, unless there are also filters on the
> router.[1]
could you elaborate on this statement? " . . . don't know of any routers
that filter ... ... unless there are also filters on the router"
do you mean "routers that automatically/bydefault filter ..."?
> [1] We had a thread about this a couple of months ago, in which I said "Any
> NAT implementation that is not brain dead should block any packets that are
> not addressed to a valid NAT translation". I still believe this, but I had
> some Cisco gear on the bench recently and noticed that it met my "brain
> dead" criteria. D'oh.
in context with my question above, one can add the desired filters, no?
cisco allows both inbound and outbound filters on every real interface
and subinterface. also, with the possibility of more than one subnet
hanging off an interface, there is a plausible reason for allowing packets
to flow out of an interface with a NAT subnet that are bound for other
non-NAT (or other-NAT) destinations on that same interface.
also, what router manufacturer offers such blocking? that would be
most illuminating for our purchasing decisions...
--
Henry Yen <[EMAIL PROTECTED]>
netcom shell refugee '94. [EMAIL PROTECTED],[EMAIL PROTECTED]
Hicksville, New York
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
