Internal traffic showing in snort logs?

Don't have much experience with this stuff:

I have snort running in my DMZ.  I am doing double NAT in my network because I once had externally accessible hosts that were on the inside (VLAN'd..stupid I know)

Anyway, the issue is that I'm seeing traffic that is supposed to be NATTED, showing up in my /var/log/snort/alert

[**] [1:2229:4] WEB-PHP viewtopic.php access [**]
[Classification: Web Application Attack] [Priority: 1]
07/01-01:38:28.919875 192.168.2.12:3254 -> 207.44.xxx.xx:80
TCP TTL:128 TOS:0x0 ID:29883 IpLen:20 DgmLen:754 DF
***AP*** Seq: 0xE00A8E3  Ack: 0x8CF1435C  Win: 0xFD5C  TcpLen: 20



     ISP
     |
gateway router  <------------NAT (private to public)
     |
     |
   switch  <---cisco switch with port mon for snort
   |       |    
   |       |
IDS    PIX    <---------NAT  (private to private so I can do PAT)
           |
    Internal Router  
----------------------------------------------
info:
Gatweway router e0 = 69.137.229.x
Gateway router   e1  = 192.168.1.1
IDS  192.168.1.5
PIX external int = 192.168.1.2
PIX internal int = 192.168.2.1
Internal Router e0 = 192.168.2.5

DMZ ip address scheme: 192.168.1.0/28
Internal Network ip address : 192.168.2.0/24

*Clients use 192.168.2.5 as gateway due to the presence of VLANs on internal LAN.

Any ideas as to why an internal address, 192.168.2.12, is showing up in my DMZ when it is supposed to be NATTED to 192.168.1.0?

Thanks
dissolvedAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dissolvedAuthor Commented:
and I have no idea why snort thought that was an attack, I was visiting a web page??
lrmooreCommented:
You should never see any 192.168.2.x IP's outside the PIX...
Can you post your pix global/nat statements?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dissolvedAuthor Commented:
Cant get to my PIX remotely, but I can get to my gateway router (192.168.1.1)
Here's a sh ip nat trans.  Again, 192.168.2.0 is showing in the sh ip nat trans....

        inside global                   inside local         outside local        outside global
tcp 69.137.229.140:51304  192.168.1.5:51304 192.168.2.1:485   192.168.2.1:485
tcp 69.137.229.140:51305  192.168.1.5:51305 192.168.2.1:485   192.168.2.1:485
tcp 69.137.229.140:51306  192.168.1.5:51306 192.168.2.1:485   192.168.2.1:485
 --More--


The pix, 192.168.2.1, is showing up as outside local outside global in my router. This shouldnt be right?
Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

lrmooreCommented:
Looks like you've either bypassed nat on the PIX with nat zero, or you have a static same,same inside/outside bypassing nat on the pix.

Can you post the nat statements from the router?
dissolvedAuthor Commented:
Here is the nat statements from my router:

interface Ethernet0
 description Connected to Comcast
 ip address dhcp
 ip nat outside
!
interface Ethernet1
 description Connected to DMZ hub. Feeds uplink
 ip address 192.168.1.1 255.255.255.240
 ip nat inside
 no mop enabled

ip nat inside source list 2 interface Ethernet0 overload
ip nat inside source static tcp 192.168.1.5 22 69.137.229.140 22 extendable (SSH box , as well as IDS box)

ip nat inside source static udp 192.168.1.4 53 69.137.229.140 53 extendable
dissolvedAuthor Commented:
so you can bypass PIX if I have a static statement? What is nat zero?
lrmooreCommented:
>ip nat inside source list 2 interface
so, where's access-list 2?

>so you can bypass PIX if I have a static statement? What is nat zero?
Yes. Two ways to bypass nat:

With nat zero, where 0 = don't nat from this subnet
nat (inside) 0 192.168.2.0 255.255.255.0

Or, with static same same subnet static
static (inside,outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

What I would expect to see in the PIX if you want to NAT/PAT
ip address outside 192.168.1.2 255.255.255.0
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0 <= local subnet
  or
nat (inside) 1 0 0 0 <== any

Either way, all traffic from inside hosts will be seen by the outside router (and the Snort) as their native 192.168.2.x ip address..
dissolvedAuthor Commented:
>>so, where's access-list 2?
Here's the ACL from the router for NAT:
access-list 2 permit 192.168.1.0 0.0.0.255


I'll try and get a copy of my pix config at lunchtime.

>>Either way, all traffic from inside hosts will be seen by the outside router (and the Snort) as their native 192.168.2.x ip address..

This should change once I get NAT working in the Pix again right?
thanks
dissolvedAuthor Commented:
hmm, I just thought of something. If my access list for the external router is 192.168.1.0, then how are 192.168.2.0 clients able to reach the internet if they truly are bypassing PIX NAT?
lrmooreCommented:
Ja, that's a big question in my  mind, too....
And why would it be the PIX's INside interface IP as the inside local/inside global?

One of those things that make you want to go hmmmmmmmmmmmm

I guess I'd have to see both the router and PIX complete configs..
dissolvedAuthor Commented:
Ok, I'm about to post the PIX and router config. I just realized something. The subnet mask for my NAT on the PIX, is not what it should be.  I have it set as /28. When in all reality it should be /24 because I changed it on all my hosts
dissolvedAuthor Commented:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix
domain-name spira
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any interface outside echo-reply
access-list outside_in permit icmp any interface outside unreachable
access-list outbound_policy deny tcp any any eq ftp
access-list outbound_policy deny tcp any host x.x.x.x.x
access-list outbound_policy deny tcp any host x.x.x..x.x
access-list outbound_policy permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.2 255.255.255.240
ip address inside 192.168.2.1 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.240 0 0
nat (inside) 1 192.168.3.0 255.255.255.240 0 0
nat (inside) 1 192.168.4.0 255.255.255.240 0 0
access-group outside_in in interface outside
access-group outbound_policy in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 192.168.3.0 255.255.255.240 192.168.2.5 1
route inside 192.168.4.0 255.255.255.240 192.168.2.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt noproxyarp inside
telnet 192.168.2.0 255.255.255.240 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

: end
pix#
dissolvedAuthor Commented:
2514#sh run
Building configuration...

Current configuration : 1706 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 2514
!
logging rate-limit console 10 except errors

!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
!
!
!
interface Loopback3
 no ip address
!
interface Ethernet0
 description Connected to Comcast
 ip address dhcp
 ip nat outside
!
interface Ethernet1
 description Connected to DMZ hub. Feeds uplink
 ip address 192.168.1.1 255.255.255.240
 ip nat inside
 no mop enabled
!
interface Serial0
 no ip address
 shutdown
!
interface Serial1
 no ip address
 shutdown
!
ip kerberos source-interface any
ip nat inside source list 2 interface Ethernet0 overload
ip nat inside source static tcp 192.168.1.5 22 69.137.229.140 22 extendable
ip nat inside source static udp 192.168.1.4 53 69.137.229.140 53 extendable
ip classless
ip http server
!
!
ip access-list extended border_protect
 permit icmp any any packet-too-big
 permit udp host 68.87.64.196 eq domain any
 permit udp host 68.87.66.196 eq domain any
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit tcp any host 69.137.229.140 established
 permit udp any host 69.137.229.140 eq domain
 permit tcp any host 69.137.229.140 eq 22
 deny   ip host x.x.x.x any
 permit ip any any
 deny   ip any any
access-list 2 permit 192.168.1.0 0.0.0.255
!
snmp-server community getifread RO
snmp-server community getif RW
!
line con 0
 
 transport input none
line aux 0
line vty 0 4

 login
!
end
dissolvedAuthor Commented:
you know what, I know what's wrong. The switch the IDS is connected to is where the PIX and internal router interface

I know this sounds confusing, but here's what it looks like

external router
      |
      |
s   w   i   t   c   h
|       |       |
pix   ids      |
            internal router

So essentially, the PIX, IDS and internal router are all on the same switch. (I'm guessing this isnt the best way to connect devices). The only reason I did this was because my internal router only has one e0.  

I'm doing port mon on all the ports, and shooting them to where the IDS is connected. Is this why we're seeing internal IPs?


dissolvedAuthor Commented:
You dont have to respond if I'm right with my assumption. No news is good news.

Like always, I carried this post into something too big :-D

lrmooreCommented:
D'OH! Unless you VLAN that switch you're going to have a hard time with arp showing up on both interfaces..
Sorry about not responding sooner, darned paying job keeps getting in the way...

dissolvedAuthor Commented:
>Sorry about not responding sooner, darned paying job keeps getting in the way
LMAO!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.