Solved

NAT the Outside network with PIX firewall

Posted on 2004-03-31
9
3,181 Views
Last Modified: 2013-11-16
Is it possible to NAT an Outside IP address on the internet to a single Inside IP address on my corporate LAN?


I have an application in my corporate network, which I would like to make available to an external party on the Internet. This application is configured to accept only connections from a specific IP Addresses (like an ACL).

The external party is using an ADSL modem which obtains a random IP Address assigned by the ISP. Therefore, I would like to use NAT on the outside (Internet), to give it a fixed IP Address on the inside on my corporate network.

Is this possible? If yes, what commands do I use to configure it?


Also, please advise if there is any danger in doing so, or what are my alternatives.
0
Comment
Question by:wlseet
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 2

Expert Comment

by:ccallison
ID: 10729375
You will be setting up a static nat assignment and they can either direction.  You will need set either a conduit or ACL to allow the proper port to be presented to the outside world.  Is this an application that you be sure that the rest of the world won't bang on?  If it's sensitive enough to worry about, then consider setting up some sort of authentication or authorization schemes before allowing it's use.  You can use local accounts set up on the PIX or TACACS+/RADIUS accounts to prevent unintended use.  That frees you up from thinking about access restrictions based on IP addressing.

Here's the basics of the static NAT logic

1.  The ACL applied to your outside IF needs to include whatever ports this application needs:
access-list outside-ingress permit tcp any host <<OUTSIDEIP>> eq https

2. This is the static address assignment:
static (inside,outside) OUTSIDEIP INSIDEIP netmask 255.255.255.255 0 0

3. This is the access-list applied to yout outside IF:
access-group outside-ingress in interface outside

If you want to add AAA and you already have some kind of RADIUS running, it's a breeze to add a few special user account and rules to support this.

Cheers!

0
 

Author Comment

by:wlseet
ID: 10729453
By design, the application is coded to accept connections from a specific IP Address.

Since the IP Address from the Internet is random, they cannot access the application unless their IP Address has been defined in the application.

Therefore, I need the IP Address from the Internet, to be translated to an internal IP Address, which is fixed to only 1 internal IP Address for easy maintenance on my application.

How do I do that?
0
 
LVL 2

Expert Comment

by:ccallison
ID: 10730368
Your question was:  Is it possible to NAT an Outside IP address on the internet to a single Inside IP address on my corporate LAN?  - The key word being "an", as in a single Outside IP address.

Now you're saying that you want to NAT any Internet address to a single address to present on your LAN.  You know that's about the most backwards implementation you could configure all for "easy" maintenance?

I don't know if the PIX can globally present all Internet addresses through a single internal address, because that would break all other outbound traffic.

You're trying too hard to use IP addresses to create a security configuration.  You need to get over it.  If it's that important to restrict addresses, then have your client come through a VPN tunnel and assign them an internal LAN address.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Expert Comment

by:fcisler
ID: 10732178
ccallison explained it fine so i'm not going to reinvent the wheel, but i don't suggest forwarding a whole ext. IP to a whole internal IP....why?

1) hack into that machine and your on the whole network
2) i'm gonna bet it's a windows machine, and thats just asking for trouble
3) figure out what ports it runs on and forward those...

heres my suggestion:

Setup SSH (i love it) on a machine, forward one port (udp/22 i believe) and have them ssh in....right there you can setup port forwarding, and it will look like it's coming from internal....it's also VERY secure
0
 
LVL 11

Accepted Solution

by:
billwharton earned 500 total points
ID: 10734242
WLSEET

I have only read your question and not the other comments in this post. However, I understand your requirements and you are trying to achieve a simple case of BI-directional NAT. What is different about your case is that you need to NAT an dynamic IP(DSL) to an inside IP. Since it is an unknown IP, I suggest these steps:

- Find out what the current IP address of your DSL client is and see what it changes to in a couple of days. Usually, it would change in the same subnet or a very close subnet. Hence, you would be able to calculate a subnet and network mask and if anybody else from this subnet mask tries to access this server, he would be able to get in. That's the security risk though I assume you are also using password authentication on the server.

These statements are to be used:

===========
Assumptions:
===========
The dynamic DSL network is 22.22.22.0/24 after a few days of observation.
Server IP is 10.1.1.1 & is only accepting requests from IP: 10.5.5.5
You have applied access-list 101 on your outside interface

==============
Needed Statements
==============
global (inside) 5 10.5.5.5
nat (outside) 5 22.22.22.0 255.255.255.0

access-list 101 permit ip 22.22.22.0 255.255.255.0 host 10.1.1.1
Or you could limit it to a particular port:
access-list 101 permit tcp/udp 22.22.22.0 255.255.255.0 host 10.1.1.1 eq (port number)


In case all of this is very confusing, kindly send me your current IP's and your PIX configuration and I would be glad to give you accurate statements which you would simply copy/paste.

As far as security goes, you have to weigh the risks with the benefits. This solution is not your everyday solution but I have seen it implemeneted in difficult situations like thsi.

Thank you

0
 
LVL 2

Expert Comment

by:ccallison
ID: 10736610
If you're not willing to do a vpn solution, then the ssh idea has merit.  Even NAT'ing the ISP's subnet from which your client MIGHT be coming from is a fuzzy solution.  You may break other traffic patterns unintentionally.  It's like installing a peephole on your front door the wrong direction....
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10752507
I would setup the remote ADSL site with a PIX or Cisco router, and then setup a dynamic VPN from that site to your central site, authenticated by a pre-shared secret known only to you, or better still, a certificate.
That way, it doesn't matter that the address is variable, as the VPN is created based on the authentication alone.

If cost is an issue, set the remote ADSL site up with a VPN Client, so that they can access the application.

..and remember, security based on whether or not a user is behind a specific IP address or not is NOT the way to go.  IP addresses can be spoofed, other users could use his connection, etc etc.

Think about authenticating the user properly.  Maybe even some form of two-factor authenticaiton - RSA SecuID or Alladin e-token.
0
 

Author Comment

by:wlseet
ID: 10764620
I would say that billwharton hit it spot on.
Sorry for the delay, I've been out of reach for a couple of days after the weekend.

I tried the suggestion by billwharton. As my internal IP addresses are not registered IP addresses, I used the static command to give it an "outside" IP address, so that it can be reached.

static (inside,outside) w.x.y.z 10.1.1.1

where w.x.y.z is the registered IP address I have.

Is this correct?
I assume so, cause it works.

As for security, the application not only accepts connection from a pre-defined IP, it also prompts for authentication (username/password).

I'm awarding full points to billwharton.
Thanks to everyone for their contribution.

0
 
LVL 11

Expert Comment

by:billwharton
ID: 10764999
wlseet

I am glad you resolved the problem.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The 21st century solution to antiquated pagers.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question