Solved

NAT the Outside network with PIX firewall

Posted on 2004-03-31
9
3,179 Views
Last Modified: 2013-11-16
Is it possible to NAT an Outside IP address on the internet to a single Inside IP address on my corporate LAN?


I have an application in my corporate network, which I would like to make available to an external party on the Internet. This application is configured to accept only connections from a specific IP Addresses (like an ACL).

The external party is using an ADSL modem which obtains a random IP Address assigned by the ISP. Therefore, I would like to use NAT on the outside (Internet), to give it a fixed IP Address on the inside on my corporate network.

Is this possible? If yes, what commands do I use to configure it?


Also, please advise if there is any danger in doing so, or what are my alternatives.
0
Comment
Question by:wlseet
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 2

Expert Comment

by:ccallison
Comment Utility
You will be setting up a static nat assignment and they can either direction.  You will need set either a conduit or ACL to allow the proper port to be presented to the outside world.  Is this an application that you be sure that the rest of the world won't bang on?  If it's sensitive enough to worry about, then consider setting up some sort of authentication or authorization schemes before allowing it's use.  You can use local accounts set up on the PIX or TACACS+/RADIUS accounts to prevent unintended use.  That frees you up from thinking about access restrictions based on IP addressing.

Here's the basics of the static NAT logic

1.  The ACL applied to your outside IF needs to include whatever ports this application needs:
access-list outside-ingress permit tcp any host <<OUTSIDEIP>> eq https

2. This is the static address assignment:
static (inside,outside) OUTSIDEIP INSIDEIP netmask 255.255.255.255 0 0

3. This is the access-list applied to yout outside IF:
access-group outside-ingress in interface outside

If you want to add AAA and you already have some kind of RADIUS running, it's a breeze to add a few special user account and rules to support this.

Cheers!

0
 

Author Comment

by:wlseet
Comment Utility
By design, the application is coded to accept connections from a specific IP Address.

Since the IP Address from the Internet is random, they cannot access the application unless their IP Address has been defined in the application.

Therefore, I need the IP Address from the Internet, to be translated to an internal IP Address, which is fixed to only 1 internal IP Address for easy maintenance on my application.

How do I do that?
0
 
LVL 2

Expert Comment

by:ccallison
Comment Utility
Your question was:  Is it possible to NAT an Outside IP address on the internet to a single Inside IP address on my corporate LAN?  - The key word being "an", as in a single Outside IP address.

Now you're saying that you want to NAT any Internet address to a single address to present on your LAN.  You know that's about the most backwards implementation you could configure all for "easy" maintenance?

I don't know if the PIX can globally present all Internet addresses through a single internal address, because that would break all other outbound traffic.

You're trying too hard to use IP addresses to create a security configuration.  You need to get over it.  If it's that important to restrict addresses, then have your client come through a VPN tunnel and assign them an internal LAN address.
0
 
LVL 1

Expert Comment

by:fcisler
Comment Utility
ccallison explained it fine so i'm not going to reinvent the wheel, but i don't suggest forwarding a whole ext. IP to a whole internal IP....why?

1) hack into that machine and your on the whole network
2) i'm gonna bet it's a windows machine, and thats just asking for trouble
3) figure out what ports it runs on and forward those...

heres my suggestion:

Setup SSH (i love it) on a machine, forward one port (udp/22 i believe) and have them ssh in....right there you can setup port forwarding, and it will look like it's coming from internal....it's also VERY secure
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 11

Accepted Solution

by:
billwharton earned 500 total points
Comment Utility
WLSEET

I have only read your question and not the other comments in this post. However, I understand your requirements and you are trying to achieve a simple case of BI-directional NAT. What is different about your case is that you need to NAT an dynamic IP(DSL) to an inside IP. Since it is an unknown IP, I suggest these steps:

- Find out what the current IP address of your DSL client is and see what it changes to in a couple of days. Usually, it would change in the same subnet or a very close subnet. Hence, you would be able to calculate a subnet and network mask and if anybody else from this subnet mask tries to access this server, he would be able to get in. That's the security risk though I assume you are also using password authentication on the server.

These statements are to be used:

===========
Assumptions:
===========
The dynamic DSL network is 22.22.22.0/24 after a few days of observation.
Server IP is 10.1.1.1 & is only accepting requests from IP: 10.5.5.5
You have applied access-list 101 on your outside interface

==============
Needed Statements
==============
global (inside) 5 10.5.5.5
nat (outside) 5 22.22.22.0 255.255.255.0

access-list 101 permit ip 22.22.22.0 255.255.255.0 host 10.1.1.1
Or you could limit it to a particular port:
access-list 101 permit tcp/udp 22.22.22.0 255.255.255.0 host 10.1.1.1 eq (port number)


In case all of this is very confusing, kindly send me your current IP's and your PIX configuration and I would be glad to give you accurate statements which you would simply copy/paste.

As far as security goes, you have to weigh the risks with the benefits. This solution is not your everyday solution but I have seen it implemeneted in difficult situations like thsi.

Thank you

0
 
LVL 2

Expert Comment

by:ccallison
Comment Utility
If you're not willing to do a vpn solution, then the ssh idea has merit.  Even NAT'ing the ISP's subnet from which your client MIGHT be coming from is a fuzzy solution.  You may break other traffic patterns unintentionally.  It's like installing a peephole on your front door the wrong direction....
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
I would setup the remote ADSL site with a PIX or Cisco router, and then setup a dynamic VPN from that site to your central site, authenticated by a pre-shared secret known only to you, or better still, a certificate.
That way, it doesn't matter that the address is variable, as the VPN is created based on the authentication alone.

If cost is an issue, set the remote ADSL site up with a VPN Client, so that they can access the application.

..and remember, security based on whether or not a user is behind a specific IP address or not is NOT the way to go.  IP addresses can be spoofed, other users could use his connection, etc etc.

Think about authenticating the user properly.  Maybe even some form of two-factor authenticaiton - RSA SecuID or Alladin e-token.
0
 

Author Comment

by:wlseet
Comment Utility
I would say that billwharton hit it spot on.
Sorry for the delay, I've been out of reach for a couple of days after the weekend.

I tried the suggestion by billwharton. As my internal IP addresses are not registered IP addresses, I used the static command to give it an "outside" IP address, so that it can be reached.

static (inside,outside) w.x.y.z 10.1.1.1

where w.x.y.z is the registered IP address I have.

Is this correct?
I assume so, cause it works.

As for security, the application not only accepts connection from a pre-defined IP, it also prompts for authentication (username/password).

I'm awarding full points to billwharton.
Thanks to everyone for their contribution.

0
 
LVL 11

Expert Comment

by:billwharton
Comment Utility
wlseet

I am glad you resolved the problem.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now